[nsp-sec] Got DDoS? - Target: 80.239.232.154 port 6112/TCP - Charter Communications around?

Nicholas Ianelli ni at centergate.net
Wed Jun 9 20:21:00 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Yiming!

Do we have anyone from Charter Communications on the list?

AS      | IP               | AS Name
20115   | 71.81.199.142    | CHARTER-NET-HKY-NC - Charter Communications

Nick


On 2010.06.09 18:58 PM, Yiming Gong wrote:
> Below is a breakdown of what i have seen for the past 10 hours, only 4
> source ip were involved.
> 
> 
> count(*)    sip    proto    dport    tcpflags    sizes
> 2925    71.81.199.142    TCP    6112    ......    48,47
> 1854    99.195.134.23    TCP    6112    ....S.    48
> 1214    71.81.199.142    TCP    6112    ....S.    48
> 904    99.195.134.23    TCP    6112    ......    48,47
> 33    64.186.239.146    TCP    6112    .AP...   
> 82,50,47,54,63,74,77,64,51,46,73,72
> 24    64.186.239.146    TCP    6112    .A....    40
> 1    67.90.220.157    TCP    6112    .A....    40
> 1    71.81.199.142    TCP    6112    ...R..    40
> 1    99.195.134.23    TCP    6112    ...R..    40
> 
> count(*)    sip    protocol    /number of different packet size/   
> /number of different sport/    /number of different dport/
> 4140    71.81.199.142    TCP    3    354    1
> 2759    99.195.134.23    TCP    3    133    1
> 57    64.186.239.146    TCP    13    1    1
> 1    67.90.220.157    TCP    1    1    1
> 
> 
> count(*)    proto    byte
> 6813    TCP    48
> 85    TCP    47
> 27    TCP    40
> 10    TCP    54
> 9    TCP    82
> 5    TCP    64
> 1    TCP    63
> 1    TCP    74
> 1    TCP    77
> 1    TCP    50
> 
> Regards!
> 
> Yiming
> 
> 
> On 06/09/2010 04:56 PM, Nicholas Ianelli wrote:
> 
>> ----------- nsp-security Confidential --------
>>
> 
> These attacks continue on, any one seeing traffic to:  80.239.232.154
> port 6112/TCP?
> 
> I would love to find the C2 if possible.
> 
> Thanks!
> Nick
> 
> -- Nicholas Ianelli: Neustar, Inc.
> Security Operations
> 
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
> 
>>
>>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
>>
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet
security counter-measures.
_______________________________________________
>>

- -- 
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkwQL+sACgkQi10dJIBjZICBiACcCWJ7MLNiwUorWoHwDwUCGybX
0OgAn2/cImSHzhgj5GOAevAF4oPBn6Aj
=ZIkK
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list