[nsp-sec] DDOS against www.de-cix.net

Brian Eckman eckman at umn.edu
Wed Jan 27 11:16:14 EST 2010 

Actually, I agree that it doesn't appear to be backscatter in our
case. 128.101.190.46 has been briefly contacting www.de-cix.net every
day between midnight and 0100 local time (0600-0700 UTC) since January
2nd. The flows that Paul listed aren't sampled - that was all that was
sent for a four hour time period that I looked into from around the
sampled time.

Of course, this all hinges on it not being a IPv6 attack - but in that
case, the attacking IP wouldn't resemble "128.101.190.46".  ;-)

Put differently, the outbound traffic from 128.101.190.46 at that time
of day has been going on for nearly four weeks, and doesn't resemble a
resource exhaustion attack.

Brian

Here's the condensed, aggregated list of unsampled flows between
128.101.190.46 and 212.224.123.98 between 0400 and 0800 UTC:
(timestamps are UTC)

Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port  Packets    Bytes      Flows
2010-01-27 06:02:41.766     3.463 TCP     212.224.123.98:80    ->
128.101.190.46:12481       4      758        2
2010-01-27 06:02:41.948     3.520 TCP     128.101.190.46:12483 ->
212.224.123.98:80          7      568        1
2010-01-27 06:02:41.967     4.032 TCP     128.101.190.46:12481 ->
212.224.123.98:80          6      508        1
2010-01-27 06:02:42.014     3.214 TCP     212.224.123.98:80    ->
128.101.190.46:12482       4      758        2
2010-01-27 06:02:42.154     3.776 TCP     128.101.190.46:12482 ->
212.224.123.98:80          6      509        1
2010-01-27 06:02:44.973     0.320 TCP     212.224.123.98:80    ->
128.101.190.46:12484       4      758        1
2010-01-27 06:02:45.000     0.256 TCP     128.101.190.46:12484 ->
212.224.123.98:80          5      455        1
2010-01-27 06:02:45.193     0.128 TCP     212.224.123.98:80    ->
128.101.190.46:12483       4      758        2


On Wed, Jan 27, 2010 at 8:35 AM, Wolfgang Tremmel
<wolfgang.tremmel at de-cix.net> wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 27.01.10 15:28, Paul Dokas wrote:
>> I agree with what others have said that there's likely spoofing going on in this one.
>> What I see in our flows looks more like backscatter than outbound attack.  Also,
>> the machine here (128.101.190.46) is showing no indications of other bad behavior.
>
> thanks - I assume the TCP-SYN attack with spoofed sources is still going on in parallel.
> The list I sent were bots which actually were able to establish a tcp connection...
>
> best regards,
> Wolfgang
>
> - --
> Wolfgang Tremmel                     e-mail: wolfgang.tremmel at de-cix.net
> DE-CIX Management GmbH               Phone: +49 69 1730 902-26
> Lindleystr. 12, 60314 Frankfurt      Mobile: +49 171 8600 816
> Geschaeftsfuehrer Harald A. Summa    Fax: +49 69 4056 2716
> Registergericht AG Koeln, HRB 51135  http://www.de-cix.net
> Zentrale: Lichtstr. 43i, 50825 Koeln
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAktgT0EACgkQ0fKk3jl6LK5JTwCcCnS+bpvobsch2zmObOYzgH7r
> pF8AoNqAN6oxzYaA5x0Qk4O29+vOSsHO
> =qRzy
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the nsp-security mailing list