[nsp-sec] DoS attack to 174.120.159.141 -- virtual host at ThePlanet AS21844
Maurizio Molina
Maurizio.Molina at dante.net
Tue Jan 5 13:06:22 EST 2010
Hi Jason,
I confirm we saw some traffic transiting the GEANT network (ASN 20965) directed to this address on Dec. 30th, from 14:22 to 18:58 GMT. We saw around 2,000 sampled packets in that period (using 1/100 sampling: so about 200,000 really sent packets). This traffic is half ICMP, half TCP (I don't see the UDP you mention). On TCP, both dst ports 80 and 65535 are targeted. The source ports are, in both cases, 1024 and 3072 and the packets are 40 bytes long with ACK and RST flags set.
An additional note: I see that in (a subset of) the same period the target 174.120.159.141 is generating 10 times more SYN,ACK TCP packets. It *may* be possible that spoofed SYNs are sent to the target through another network I don't see, the target sends SYN/ACK to them, and what I see are the RST/ACK of the (minority) of spoofed hosts that really exist. Just a guess...
Maurizio
> -----Original Message-----
> From: Jason Chambers [mailto:jchambers at ucla.edu]
> Sent: 30 December 2009 22:58
> To: nsp-security NSP
> Subject: [nsp-sec] DoS attack to 174.120.159.141 -- virtual host at ThePlanet
> AS21844
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> Wanted to share some intel on a DoS attack we observed today to
> 174.120.159.141. Look for UDP and spoofed TCP traffic to this address.
>
> The attack consisted mostly of UDP traffic targeting destination port
> 65535; the source port was 43342. The TCP traffic was spread among many
> destination ports and in comparison to the UDP traffic this was very low
> rate.
>
> When I find C&C info I'll share it.
>
>
> Regards,
>
> - --
>
> Jason Chambers
> UCLA
> jchambers at ucla.edu
> 310-206-5603
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAks72t4ACgkQg2yFT6C6NKhVKACgj39vpQTPaDcL6iFO4aWBu0Og
> a9IAn3mdN91VDMMibjlzFyKxTl56MyfG
> =bVc5
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list