[nsp-sec] DDoS mitigation help (AusCERT#20109c4d1)

Vidar Østmo vidar.ostmo at ventelo.no
Tue Jan 12 04:12:53 EST 2010 

Thanks,

List sanitized and handed over to our abuse dep.

Vidar Østmo
Senior Network and Security Engineer
ASN 2216 - 3307
www.ventelo.no



On 1/9/10 9:23 AM, "Zane Jarvis" <zane at auscert.org.au> wrote:

> ----------- nsp-security Confidential --------
> 
> Hi NSP'ers,
> 
> Two Australian betting sites are under heavy DDoS at the moment using HTTP GET
> requests.
> 
> We are hoping to find the C&C, malware and assistance with mitigating this.
> AusCERT's tracking code for this is 20109c4d1.
> 
> The websites are:
> 
>     http://centreracing.com
>     http://centreracing.com.au
>     http://multibet.com
>     http://multibet.com.au
> 
> all point to: 203.3.76.26
> 
> DDoS appears to have started at 01:00am 9th January 2010 GMT+0930.
> 
> Here is a sample of the apache access log from the centreracing.com. We are
> awaiting a full set of logs in which we will include ASN to IP mapping.
> 
> 60.254.108.66 - - [09/Jan/2010:14:11:17 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 60.254.108.66 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 180.183.192.131 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 94.96.3.122 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> 94.96.62.155 - - [09/Jan/2010:14:11:18 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 202.8.254.21 - - [09/Jan/2010:14:11:19 +0930] "GET / HTTP/1.0" 200 2564 "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 125.26.123.120 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> 202.156.10.253 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 188.48.42.198 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 201.252.54.13 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 203.162.3.166 - - [09/Jan/2010:14:11:20 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 203.162.3.166 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 112.142.50.125 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> 122.167.46.72 - - [09/Jan/2010:14:11:26 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 115.133.138.169 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> 114.128.164.213 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Opera/9.02 (Windows NT 5.1; U; ru)"
> 117.47.126.85 - - [09/Jan/2010:14:11:27 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
> 200.93.218.179 - - [09/Jan/2010:14:11:28 +0930] "GET / HTTP/1.1" 200 2564 "-"
> "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204
> Firefox/2.0.0.1"
> 
> Thanks in advance,
> Zane Jarvis.
> 
> --
> Zane Jarvis
> Senior Information Security Analyst  | Hotline: +61 7 3365 4417
> AusCERT, Australia's Leading CERT    | Fax:     +61 7 3365 7031
> The University of Queensland         | WWW:     www.auscert.org.au
> QLD 4072 Australia                   | Email:   auscert at auscert.org.au
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Vidar Østmo
Senior Network and Security Engineer

Mobil:          +47 47 9000 97
Sentralbord:    21 55 00 00
E-post:         vidar.ostmo at ventelo.no
Web:            www.ventelo.no
__    __
\ \  / /
 \ \/ /
  \_\/

Ventelo
Rolfsbuktveien 4, Postboks 1, 1330 Fornebu

Ventelo har som mål å gi den beste kundeopplevelsen.
Du kan forvente at jeg:
Følger deg i mål-Gjør det enkelt-Tar ansvar-Viser respekt-Tør å tenke nytt

More information about the nsp-security mailing list