[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234 (AS8928)
Brian Smith-Sweeney
bsmithsweeney at nyu.edu
Fri Jun 4 16:53:28 EDT 2010
On 06/03/2010 11:17 AM, Mike Hellers wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
>
>
> We have experienced a rather large, and distributed attack against one
> of our customers over the past couple of hours, it is actually still
> going on at this time. We have seen overall traffic levels above 10Gbps,
> mainly UDP traffic from and towards a range of ports.
>
> The targeted host is primarily 62.50.74.234.
>
> I would appreciate to hear if anybody else has some additional
> information they can provide us with, especially if this was controlled
> by known C&C.
>
>
>
> ...mike
>
>
>
A bit late, but I see activity from one of ours.
First flow:
0603.08:21:14.661 0603.08:21:31.621 144 216.165.126.111 52240 87
62.50.74.234 407 17 0 192 142912
Last flow:
0603.15:58:30.676 0603.15:59:02.932 144 216.165.126.111 41692 87
62.50.74.234 1024 17 0 190 101964
Traffic is relatively constant at a rate of ~a few flows per minute
between those times. Source port was relatively static, changing about
a dozen times throughout the day.
Unfortunately this is a heavily-used NAT box so attempting to suss out
the responsible C&C would be tough. If you have a suspected controller
ip let me know.
Cheers,
Brian
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney Project Lead
ITS Technology Security Services, New York University
bsmithsweeney at nyu.edu
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the nsp-security
mailing list