[nsp-sec] ddos against amazon ec2 customer

Dave Burke dave at amazon.com
Wed Mar 3 07:24:57 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We currently have a customer getting hit with a large DDoS attack.
Can you please check if you have flows towards ..

184.73.22.252 ( Eastern USA, Syn Flood)
184.72.3.89 ( Northern California, Syn Flood )
184.72.1.208 ( Northern California, UDP/53 Flood )
204.236.183.133 ( Nortern California, UDP/53 Flood )

The Syn flood pkt lengths are really nice round numbers (950/850/450/650
bytes). The majority of the source IPs are associated with China.

The attacks started about 09:54:19UTC this morning and are still ongoing.

If you go have flows towards those IPs, please drop the traffic on the
floor towards them for a few hours.

Sample srcIPs..
4134    | 121.12.168.249   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 121.12.170.24    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 121.12.170.59    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 121.12.174.177   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 121.12.174.36    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.106   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.156   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.69    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.70    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.81    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.90    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 122.224.33.93    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 124.232.142.72   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 124.232.143.169  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 125.64.17.229    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 125.64.34.84     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.22.112.16    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.22.143.25    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.5.203.247    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 221.236.5.136    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 222.85.146.6     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.169.10.111    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.169.10.239    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.169.10.37     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.169.10.73     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.191.240.132   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.139.68.1      | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.191.60.170    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.191.61.153    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.191.62.114    | CHINANET-BACKBONE No.31,Jin-rong Street
4837    | 221.208.255.229  | CHINA169-BACKBONE CNCGROUP China169 Backbone
17633   | 58.57.6.88       | CHINATELECOM-SD-AS-AP ASN for Shandong
Provincial Net of CT



thanks!
dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuOVRkACgkQvMJ1IGjTxcEEPQCgy0Kj2U+C0dMe0AqoKA2wuHlf
fhEAoKjHXJw4z6YzKikx+oK3DuZ3P428
=pjIZ
-----END PGP SIGNATURE-----



Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list