[nsp-sec] Got DDoS? - Target: 80.239.232.154 port 6112/TCP

[Yiming Gong]

Below is a breakdown of what i have seen for the past 10 hours, only 4 source ip were involved.


count(*)	sip	proto	dport	tcpflags	sizes
2925	71.81.199.142	TCP	6112	......	48,47
1854	99.195.134.23	TCP	6112	....S.	48
1214	71.81.199.142	TCP	6112	....S.	48
904	99.195.134.23	TCP	6112	......	48,47
33	64.186.239.146	TCP	6112	.AP...	82,50,47,54,63,74,77,64,51,46,73,72
24	64.186.239.146	TCP	6112	.A....	40
1	67.90.220.157	TCP	6112	.A....	40
1	71.81.199.142	TCP	6112	...R..	40
1	99.195.134.23	TCP	6112	...R..	40

count(*)	sip	protocol	/number of different packet size/	/number of different sport/	/number of different dport/
4140	71.81.199.142	TCP	3	354	1
2759	99.195.134.23	TCP	3	133	1
57	64.186.239.146	TCP	13	1	1
1	67.90.220.157	TCP	1	1	1


count(*)	proto	byte
6813	TCP	48
85	TCP	47
27	TCP	40
10	TCP	54
9	TCP	82
5	TCP	64
1	TCP	63
1	TCP	74
1	TCP	77
1	TCP	50

Regards!

Yiming


On 06/09/2010 04:56 PM, Nicholas Ianelli wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> These attacks continue on, any one seeing traffic to:  80.239.232.154
> port 6112/TCP?
>
> I would love to find the C2 if possible.
>
> Thanks!
> Nick
>
> - -- 
> Nicholas Ianelli: Neustar, Inc.
> Security Operations
>
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkwQDikACgkQi10dJIBjZIAaMACeImbp4ZzVJjTINWW8LmTazono
> ngMAoJrKMCUCLhrp4wtyZ4gvKj8yx0JD
> =BmO2
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>