[nsp-sec] Potential DoS data for 89.45.193.200 and 204.188.216.183

Mike Tancsa mike at sentex.net
Thu Dec 16 16:01:33 EST 2010 

On 12/16/2010 2:27 PM, Buraglio, Nicholas D wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> I'm looking for data that anyone can provide us on the addresses 89.45.193.200 from 11:43:23  to 11:53:22  and 204.188.216.183 from  11:38:44 to 11:48:45 All times are GMT -6.  We (AS38 in this case) believe we were the source of a port 80 DoS attack toward those two hosts.  Specifically, I'm looking for any other networks sourcing to those addresses during this same timeframe. We saw a very large amount of single packet flows in a relatively short amount of time and are trying to drill down if we were part of something larger.  
> 
> AS      | IP               | AS Name
> 34358   | 89.45.193.200    | CLAXTELECOM CLAX TELECOM SRL
> 
> AS      | IP               | AS Name
> 46844   | 204.188.216.183  | ST-BGP - SHARKTECH INTERNET SERVICES

I see the odd bit of back scatter... Sheesh, is it spoof Sentex's IP space today?!?! Oh wait, thats every day :(

 ra -t 12 -L0 -Zb -nr argus-sites-radium - host 204.188.216.183 or host 89.45.193.200 and not udp
         StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
12-16 12:38:07.006 Ne         tcp    204.188.216.183.80        ->      199.71.252.19.19463         7        308   SA_
12-16 12:38:38.998 Ne         tcp    204.188.216.183.80        ->      199.71.252.19.19463         1         44   SA_
12-16 12:40:45.136 Ne         tcp    204.188.216.183.80        ?>       67.43.137.90.26637         1         44   RA_
12-16 12:42:13.626  e         tcp    204.188.216.183.80        ?>       67.43.143.58.30740         1         60   RA_
12-16 12:43:25.849 Ne         tcp    204.188.216.183.80        ?>       199.85.118.0.20796         1         44   RA_
12-16 12:43:57.804  e         tcp    204.188.216.183.80        ?>      98.159.242.91.38531         1         60   RA_
12-16 12:44:59.314  *         tcp    204.188.216.183.80        ?>        64.7.133.47.56335         1         62   RA_
12-16 12:44:59.314  e         tcp    204.188.216.183.80        ?>        64.7.133.47.56335         1         60   RA_
12-16 12:47:42.302 Ne         tcp    204.188.216.183.80        ?>        64.7.136.98.21575         1         44   RA_
12-16 12:48:55.057  e         tcp      89.45.193.200.80        ->      98.159.242.82.41034         1         60   SA_
12-16 12:49:17.085  e         tcp      89.45.193.200.80        ->       67.43.130.62.4764          2        118 SA_RA
12-16 12:50:27.741  e         tcp      89.45.193.200.80        ->       64.7.156.122.56179         1         60   SA_
12-16 12:50:55.086  e         tcp      89.45.193.200.80        ->       67.43.143.82.52142         1         60   SA_
12-16 12:50:49.010 Ne         tcp      89.45.193.200.80        ->      198.73.240.58.15192         1         40   SA_
12-16 12:51:43.726  e         tcp      89.45.193.200.80        ->       64.7.157.126.6665          1         60   SA_
12-16 12:52:50.225 Ne         tcp      89.45.193.200.80        ->       67.43.136.67.48341         1         40   SA_

	---Mike

> 
> 
> 
> Thanks,
> 
> nb
> 
> ---
> Nick Buraglio   
> Network Engineer
> University of Illinois CITES / ICCN
> GPG key 0x2E5B44F4
> Phone: 217.244.6428
> buraglio at illinois.edu
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list