[nsp-sec] Potential DoS data for 89.45.193.200 and 204.188.216.183
Buraglio, Nicholas D
buraglio at illinois.edu
Thu Dec 16 21:34:24 EST 2010
This is all good info, thanks. We believe we have found and removed the source of the traffic from AS38.
nb
---
Nick Buraglio
Network Engineer
University of Illinois CITES / ICCN
GPG key 0x2E5B44F4
Phone: 217.689.4254
buraglio at illinois.edu
On Dec 16, 2010, at 3:01 PM, Mike Tancsa wrote:
> On 12/16/2010 2:27 PM, Buraglio, Nicholas D wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>>
>>
>> I'm looking for data that anyone can provide us on the addresses 89.45.193.200 from 11:43:23 to 11:53:22 and 204.188.216.183 from 11:38:44 to 11:48:45 All times are GMT -6. We (AS38 in this case) believe we were the source of a port 80 DoS attack toward those two hosts. Specifically, I'm looking for any other networks sourcing to those addresses during this same timeframe. We saw a very large amount of single packet flows in a relatively short amount of time and are trying to drill down if we were part of something larger.
>>
>> AS | IP | AS Name
>> 34358 | 89.45.193.200 | CLAXTELECOM CLAX TELECOM SRL
>>
>> AS | IP | AS Name
>> 46844 | 204.188.216.183 | ST-BGP - SHARKTECH INTERNET SERVICES
>
> I see the odd bit of back scatter... Sheesh, is it spoof Sentex's IP space today?!?! Oh wait, thats every day :(
>
> ra -t 12 -L0 -Zb -nr argus-sites-radium - host 204.188.216.183 or host 89.45.193.200 and not udp
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 12-16 12:38:07.006 Ne tcp 204.188.216.183.80 -> 199.71.252.19.19463 7 308 SA_
> 12-16 12:38:38.998 Ne tcp 204.188.216.183.80 -> 199.71.252.19.19463 1 44 SA_
> 12-16 12:40:45.136 Ne tcp 204.188.216.183.80 ?> 67.43.137.90.26637 1 44 RA_
> 12-16 12:42:13.626 e tcp 204.188.216.183.80 ?> 67.43.143.58.30740 1 60 RA_
> 12-16 12:43:25.849 Ne tcp 204.188.216.183.80 ?> 199.85.118.0.20796 1 44 RA_
> 12-16 12:43:57.804 e tcp 204.188.216.183.80 ?> 98.159.242.91.38531 1 60 RA_
> 12-16 12:44:59.314 * tcp 204.188.216.183.80 ?> 64.7.133.47.56335 1 62 RA_
> 12-16 12:44:59.314 e tcp 204.188.216.183.80 ?> 64.7.133.47.56335 1 60 RA_
> 12-16 12:47:42.302 Ne tcp 204.188.216.183.80 ?> 64.7.136.98.21575 1 44 RA_
> 12-16 12:48:55.057 e tcp 89.45.193.200.80 -> 98.159.242.82.41034 1 60 SA_
> 12-16 12:49:17.085 e tcp 89.45.193.200.80 -> 67.43.130.62.4764 2 118 SA_RA
> 12-16 12:50:27.741 e tcp 89.45.193.200.80 -> 64.7.156.122.56179 1 60 SA_
> 12-16 12:50:55.086 e tcp 89.45.193.200.80 -> 67.43.143.82.52142 1 60 SA_
> 12-16 12:50:49.010 Ne tcp 89.45.193.200.80 -> 198.73.240.58.15192 1 40 SA_
> 12-16 12:51:43.726 e tcp 89.45.193.200.80 -> 64.7.157.126.6665 1 60 SA_
> 12-16 12:52:50.225 Ne tcp 89.45.193.200.80 -> 67.43.136.67.48341 1 40 SA_
>
> ---Mike
>
>>
>>
>>
>> Thanks,
>>
>> nb
>>
>> ---
>> Nick Buraglio
>> Network Engineer
>> University of Illinois CITES / ICCN
>> GPG key 0x2E5B44F4
>> Phone: 217.244.6428
>> buraglio at illinois.edu
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
More information about the nsp-security
mailing list