[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234(AS8928)

Salusky, William william.salusky at corp.aol.com
Thu Jun 3 17:46:39 EDT 2010 

Having only one traffic source makes this a highly probable false
positive, but I see some potential C2 comms to the following making my
spidey senses tingle.

Can anyone else chime in on the legitimacy/evilness of the following?


POST /forums.php?fid=149 HTTP/1.1
Host: muza-flowers.biz

POST /download.php?file=7700233c371b36cd43401a5b22520444 HTTP/1.1
Host: muza-flowers.biz

POST /search.php?doc_id=440ac345ef5336aa53f11f2c0d88dfd8 HTTP/1.1
Host: muza-flowers.biz

POST /topic.php?tid=117 HTTP/1.1
Host: muza-flowers.biz



More troublesome is that the above requests to muza-flowers.biz
targetted the following IP's (in a span of a few minutes):

27645   | 66.79.162.138    | ASN-NA-MSG-01 - Managed Solutions Group,
Inc. 
32392   | 96.0.203.82      | OPENTRANSFER-ECOMMERCE - Ecommerce
Corporation


Yet I resolved the hostname perhaps 10 minutes after the actual client
connectivity was observed, resulting in:

28573   | 189.120.233.193  | NET Servicos de Comunicao S.A. 

 
----
William Salusky 
Princ. Technical Security Engineer - AOL Information Technology Security
CERT team
703-265-4924 (office) : 571-480-1933 (mobile) 
 
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Salusky, William
> Sent: Thursday, June 03, 2010 4:40 PM
> To: Mike Hellers; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] 10Gbps distributed UDP flood against 
> 62.50.74.234(AS8928)
> 
> ----------- nsp-security Confidential --------
> 
> I see *one* single active dial-up user participating.  If 
> only there were one other active participant, finding a comms 
> structure [if there is one] would be simple.
> 
> I'll keep an eye on this one to see if anything distinct stands out.
> Aside from the UDP flood toward the 62.x, the client in 
> question is also running a Limewire p2p client so needless to 
> say it's a very noisy little pipe.
>  
> ----
> William Salusky
> Princ. Technical Security Engineer - AOL Information 
> Technology Security CERT team
> 703-265-4924 (office) : 571-480-1933 (mobile) 
>  
>  
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Mike 
> > Hellers
> > Sent: Thursday, June 03, 2010 11:17 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] 10Gbps distributed UDP flood against
> > 62.50.74.234 (AS8928)
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Hi,
> > 
> >  
> > 
> > We have experienced a rather large, and distributed attack 
> against one 
> > of our customers over the past couple of hours, it is 
> actually still 
> > going on at this time. We have seen overall traffic levels above 
> > 10Gbps, mainly UDP traffic from and towards a range of ports.
> > 
> > The targeted host is primarily  62.50.74.234.
> > 
> > I would appreciate to hear if anybody else has some additional 
> > information they can provide us with, especially if this was 
> > controlled by known C&C.
> > 
> >  
> > 
> > ...mike
> > 
> >  
> > 
> > --
> > 
> > Mike Hellers
> > 
> > Interoute Communications Ltd.
> > 
> > Tel +44 20 7025 9396
> > 
> > Mob +44 7817 101 736
> > 
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> > 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for 
> effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list