[nsp-sec] DDOS against www.de-cix.net
Paul Dokas
dokas at oitsec.umn.edu
Wed Jan 27 09:28:54 EST 2010
I agree with what others have said that there's likely spoofing going on in this one.
What I see in our flows looks more like backscatter than outbound attack. Also,
the machine here (128.101.190.46) is showing no indications of other bad behavior.
Paul
> 217 | 128.101.190.46 | 2010-01-27 05:55:45 GMT | UMN-AGS-NET-AS - University of Minnesota
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2010-01-27 00:02:41.766 0.128 TCP 212.224.123.98:80 -> 128.101.190.46:12481 ...... 0 3 706 23 44125 235 1
2010-01-27 00:02:41.948 3.520 TCP 128.101.190.46:12483 -> 212.224.123.98:80 ...... 0 7 568 1 1290 81 1
2010-01-27 00:02:41.967 4.032 TCP 128.101.190.46:12481 -> 212.224.123.98:80 ...... 0 6 508 1 1007 84 1
2010-01-27 00:02:42.014 0.128 TCP 212.224.123.98:80 -> 128.101.190.46:12482 ...... 0 3 706 23 44125 235 1
2010-01-27 00:02:42.154 3.776 TCP 128.101.190.46:12482 -> 212.224.123.98:80 ...... 0 6 509 1 1078 84 1
2010-01-27 00:02:42.164 0.128 TCP 212.224.123.98:80 -> 128.101.190.46:12481 ...... 0 3 706 23 44125 235 1
2010-01-27 00:02:42.188 0.128 TCP 212.224.123.98:80 -> 128.101.190.46:12482 ...... 0 3 706 23 44125 235 1
2010-01-27 00:02:44.973 0.320 TCP 212.224.123.98:80 -> 128.101.190.46:12484 ...... 0 4 758 12 18950 189 1
2010-01-27 00:02:45.000 0.256 TCP 128.101.190.46:12484 -> 212.224.123.98:80 ...... 0 5 455 19 14218 91 1
2010-01-27 00:02:45.193 0.128 TCP 212.224.123.98:80 -> 128.101.190.46:12483 ...... 0 3 706 23 44125 235 1
2010-01-27 00:02:45.228 0.000 TCP 212.224.123.98:80 -> 128.101.190.46:12482 ...... 0 1 52 0 0 52 1
2010-01-27 00:02:45.229 0.000 TCP 212.224.123.98:80 -> 128.101.190.46:12483 ...... 0 1 52 0 0 52 1
2010-01-27 00:02:45.229 0.000 TCP 212.224.123.98:80 -> 128.101.190.46:12481 ...... 0 1 52 0 0 52 1
2010-01-27 00:02:45.461 0.000 TCP 212.224.123.98:80 -> 128.101.190.46:12481 ...... 0 1 52 0 0 52 1
2010-01-27 00:02:45.518 0.000 TCP 212.224.123.98:80 -> 128.101.190.46:12482 ...... 0 1 52 0 0 52 1
2010-01-27 00:02:45.598 0.512 TCP 212.224.123.98:80 -> 128.101.190.46:12483 ...... 0 4 758 7 11843 189 1
2010-01-27 00:02:45.823 0.256 TCP 212.224.123.98:80 -> 128.101.190.46:12484 ...... 0 4 758 15 23687 189 1
Summary: total flows: 17, total bytes: 8104, total packets: 56, avg bps: 14924, avg pps: 12, avg bpp: 144
Time window: 2010-01-26 17:28:29 - 2010-01-27 00:59:59
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the nsp-security
mailing list