[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234(AS8928)

robert robert at servalens.com
Thu Jun 3 18:29:56 EDT 2010 

William,

I sunk that domain internally on 4/27 but haven't seen any hits yet.
The only tie I could make for the muza-flowers.com domain was

muza-flowers.com =>
(150.48.6.196|151.231.100.159|189.120.233.193|190.192.2.57|48.34.204.49)
=> go-thailand-now.com (bubnix/bredolab?)

On the flow side

I observed 600 or so hosts hitting 62.50.74.234 on UDP ports with about
1.5GB of packets.
I also saw attackers flooding mchost.ru (91.205.41.173/178.208.73.57)

Packet sizes are all over the place. (avg 625 bytes)

Hosts were from 34 countries.
Top:
TWN
USA
ISR
THA

Still haven't isolated a CNC though.

Robert

Salusky, William wrote:
> ----------- nsp-security Confidential --------
> 
> Having only one traffic source makes this a highly probable false
> positive, but I see some potential C2 comms to the following making my
> spidey senses tingle.
> 
> Can anyone else chime in on the legitimacy/evilness of the following?
> 
> 
> POST /forums.php?fid=149 HTTP/1.1
> Host: muza-flowers.biz
> 
> POST /download.php?file=7700233c371b36cd43401a5b22520444 HTTP/1.1
> Host: muza-flowers.biz
> 
> POST /search.php?doc_id=440ac345ef5336aa53f11f2c0d88dfd8 HTTP/1.1
> Host: muza-flowers.biz
> 
> POST /topic.php?tid=117 HTTP/1.1
> Host: muza-flowers.biz
> 
> 
> 
> More troublesome is that the above requests to muza-flowers.biz
> targetted the following IP's (in a span of a few minutes):
> 
> 27645   | 66.79.162.138    | ASN-NA-MSG-01 - Managed Solutions Group,
> Inc. 
> 32392   | 96.0.203.82      | OPENTRANSFER-ECOMMERCE - Ecommerce
> Corporation
> 
> 
> Yet I resolved the hostname perhaps 10 minutes after the actual client
> connectivity was observed, resulting in:
> 
> 28573   | 189.120.233.193  | NET Servicos de Comunicao S.A. 
> 
>  
> ----
> William Salusky 
> Princ. Technical Security Engineer - AOL Information Technology Security
> CERT team
> 703-265-4924 (office) : 571-480-1933 (mobile) 
>  
>  
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net 
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
>> Salusky, William
>> Sent: Thursday, June 03, 2010 4:40 PM
>> To: Mike Hellers; nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] 10Gbps distributed UDP flood against 
>> 62.50.74.234(AS8928)
>>
>> ----------- nsp-security Confidential --------
>>
>> I see *one* single active dial-up user participating.  If 
>> only there were one other active participant, finding a comms 
>> structure [if there is one] would be simple.
>>
>> I'll keep an eye on this one to see if anything distinct stands out.
>> Aside from the UDP flood toward the 62.x, the client in 
>> question is also running a Limewire p2p client so needless to 
>> say it's a very noisy little pipe.
>>  
>> ----
>> William Salusky
>> Princ. Technical Security Engineer - AOL Information 
>> Technology Security CERT team
>> 703-265-4924 (office) : 571-480-1933 (mobile) 
>>  
>>  
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Mike 
>>> Hellers
>>> Sent: Thursday, June 03, 2010 11:17 AM
>>> To: nsp-security at puck.nether.net
>>> Subject: [nsp-sec] 10Gbps distributed UDP flood against
>>> 62.50.74.234 (AS8928)
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> Hi,
>>>
>>>  
>>>
>>> We have experienced a rather large, and distributed attack 
>> against one 
>>> of our customers over the past couple of hours, it is 
>> actually still 
>>> going on at this time. We have seen overall traffic levels above 
>>> 10Gbps, mainly UDP traffic from and towards a range of ports.
>>>
>>> The targeted host is primarily  62.50.74.234.
>>>
>>> I would appreciate to hear if anybody else has some additional 
>>> information they can provide us with, especially if this was 
>>> controlled by known C&C.
>>>
>>>  
>>>
>>> ...mike
>>>
>>>  
>>>
>>> --
>>>
>>> Mike Hellers
>>>
>>> Interoute Communications Ltd.
>>>
>>> Tel +44 20 7025 9396
>>>
>>> Mob +44 7817 101 736
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the 
>>> nsp-security community. Confidentiality is essential for effective 
>>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the 
>> nsp-security community. Confidentiality is essential for 
>> effective Internet security counter-measures.
>> _______________________________________________
>>
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list