[nsp-sec] UDP Flood - 67.210.170.131
White, Gerard
Gerard.White at bellaliant.ca
Tue Jan 26 15:19:57 EST 2010
Greetings.
Besides the UDP Flood to 67.210.170.131, there were also TCP/80 attacks
going on towards:
AS | IP | AS Name
46844 | 204.188.218.69 | ST-BGP - SHARKTECH INTERNET SERVICES
33970 | 89.238.166.140 | OPENHOSTING M247 Ltd
33970 | 89.238.166.130 | OPENHOSTING M247 Ltd
The botnet is using UDP + crypto for the C&C comms towards this /32:
AS | IP | AS Name
4837 | 119.7.128.223 | CHINA169-BACKBONE CNCGROUP China169
Backbone
Bots "beacon" towards this C&C on UDP/1337 using a random source port
every 150 seconds,
and if the C&C wants to engage, it will do so towards the random source
port that the bot
had previously "beaconed" from (within that 150 second time interval).
So if you have UDP/1337 flows towards 119.7.128.223 from your customer
base, you've got bot...
Hope this helps...
GW
855 - Bell Aliant
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Nicholas
Ianelli
Sent: January-26-10 2:29 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] UDP Flood - 67.210.170.131
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team,
The folks behind the Mariposa botnet appear to be upset the with
defintel guys (again). For the second day the are attempting a UDP DDoS
(random soure/dest ports) against 67.210.170.131.
I don't have enough data to say if this is spoofed or not, but if you
could look for flows and squash, that would be extremely helpful. Any
intel on the Command and Control (C2) server would be awesome.
Thanks!
Nick
- --
Nicholas Ianelli: Neustar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAktfLVgACgkQi10dJIBjZIAwLgCfTIffuNWLCEK0eUjnPc9jRNFf
YBQAoMX5wslctA/DqXTQ3XESffybly9i
=+OOR
-----END PGP SIGNATURE-----
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list