[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234 (AS8928)

sthaug at nethelp.no sthaug at nethelp.no
Thu Jun 3 13:14:49 EDT 2010 

> > The targeted host is primarily  62.50.74.234.
> > 
> > I would appreciate to hear if anybody else has some additional
> > information they can provide us with, especially if this was controlled
> > by known C&C.
> 
> One of our customers seems to be sending a lot of UDP packets to that IP address, different ports

Same here, my guess this is attack traffic even though it's only about 2.5 Mbps:

Start             End               Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP  P   Fl Pkts  Octets

0603.18:59:04.990 0603.18:59:04.990 380   77.110.200.137  1537  330   62.50.74.234    772   17  0  1     549
0603.18:59:16.015 0603.18:59:16.015 380   77.110.200.137  1537  330   62.50.74.234    777   17  0  1     1010
0603.18:59:26.453 0603.18:59:26.453 380   77.110.200.137  1537  330   62.50.74.234    784   17  0  1     444
0603.18:59:32.102 0603.18:59:32.102 380   77.110.200.137  1537  330   62.50.74.234    543   17  0  1     560
0603.18:59:15.263 0603.18:59:15.263 380   77.110.200.137  1537  330   62.50.74.234    301   17  0  1     902
0603.18:59:17.134 0603.18:59:17.134 380   77.110.200.137  1537  330   62.50.74.234    818   17  0  1     308
0603.18:58:56.891 0603.18:58:56.891 380   77.110.200.137  1537  330   62.50.74.234    311   17  0  1     722
0603.18:59:05.922 0603.18:59:05.922 380   77.110.200.137  1537  330   62.50.74.234    61    17  0  1     380
0603.18:59:13.120 0603.18:59:13.120 380   77.110.200.137  1537  330   62.50.74.234    65    17  0  1     897
0603.18:59:06.125 0603.18:59:06.125 380   77.110.200.137  1537  330   62.50.74.234    323   17  0  1     643
0603.18:58:45.007 0603.18:58:45.007 380   77.110.200.137  1537  330   62.50.74.234    330   17  0  1     1001
0603.18:59:24.069 0603.18:59:24.069 380   77.110.200.137  1537  330   62.50.74.234    82    17  0  1     430
0603.18:59:19.326 0603.18:59:19.326 380   77.110.200.137  1537  330   62.50.74.234    855   17  0  1     892
0603.18:58:54.987 0603.18:58:54.987 380   77.110.200.137  1537  330   62.50.74.234    348   17  0  1     563
0603.18:59:09.330 0603.18:59:09.330 380   77.110.200.137  1537  330   62.50.74.234    608   17  0  1     898
0603.18:58:50.970 0603.18:58:50.970 380   77.110.200.137  1537  330   62.50.74.234    871   17  0  1     241

Handing it over to abuse now.

Steinar Haug, AS 2116 / AS 3307

More information about the nsp-security mailing list