[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234 (AS8928)
Borja Marcos
BORJAMAR at SARENET.ES
Thu Jun 3 11:56:32 EDT 2010
On 3 Jun 2010, at 17:17, Mike Hellers wrote:
> ----------- nsp-security Confidential --------
> We have experienced a rather large, and distributed attack against one
> of our customers over the past couple of hours, it is actually still
> going on at this time. We have seen overall traffic levels above 10Gbps,
> mainly UDP traffic from and towards a range of ports.
>
> The targeted host is primarily 62.50.74.234.
>
> I would appreciate to hear if anybody else has some additional
> information they can provide us with, especially if this was controlled
> by known C&C.
One of our customers seems to be sending a lot of UDP packets to that IP address, different ports
010-06-03 12:09:55.611 0.000 UDP 194.30.71.143:29548 -> 62.50.74.234:274
...... 0 500 466500 1
2010-06-03 12:09:31.650 0.000 UDP
194.30.71.143:29548 -> 62.50.74.234:801
...... 0 500 423500 1
2010-06-03 12:09:45.463 0.000 UDP
194.30.71.143:29548 -> 62.50.74.234:311
...... 0 500 286000 1
2010-06-03 12:09:34.076 0.000 UDP
194.30.71.143:29548 -> 62.50.74.234:588
...... 0 500 449500 1
2010-06-03 12:09:01.975 0.000 UDP
194.30.71.143:29548 -> 62.50.74.234:604
...... 0 500 257000 1
2010-06-03 12:09:32.483 0.000 UDP
194.30.71.143:29548 -> 62.50.74.234:370 ...... 0 500 136500 1
It's around 8 Mbps. I've notified them and I'm filtering this out for them until they solve the issue.
Borja.
More information about the nsp-security
mailing list