[nsp-sec] ddos against amazon ec2 customer

Joel Rosenblatt joel at columbia.edu
Wed Mar 3 09:40:40 EST 2010 

Hi,

I don't see flows toward them, but I'm seeing flows from one of them (last 5 minutes)

Joel

Calling flowdumper with the following filter:
filter-primitive general-ip
 type ip-address-prefix
 permit 184.73.22.252/32
 permit 184.72.3.89/32
 permit 184.72.1.208/32
 permit 204.236.183.133/32

filter-definition snoopy
 match ip-source-address general-ip
 or
 match ip-destination-address general-ipRunning the following files through the filter:
/hmt/sirius1/netflow/flows/saved//ft-v05.2010-03-03.093000-0500


--------------------------------------------------------------------------------

For all non-ICMP traffic, output is


date time srcip.srcport -> dstip.dstport protocol packets bytes

--------------------------------------------------------------------------------

2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.104.28893 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.110.30429 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.147.39901 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.151.40925 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.152.41181 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.153.41437 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.161.43485 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.187.50141 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.20.7389 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.30.9949 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.72.20701 17 1 198
2010/03/03 09:29:44 204.236.183.133.53 -> 156.111.77.47.12957 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.161.4480 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.207.16256 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.31.36735 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.53.42367 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.180.9344 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.183.10112 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.242.25216 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.37.38271 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.51.41855 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.132.36121 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.208.55577 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.64.18713 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.138.38053 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.221.59301 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.233.62373 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.239.63909 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.58.17573 17 1 198


--On Wednesday, March 03, 2010 12:24 PM +0000 Dave Burke <dave at amazon.com> wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> We currently have a customer getting hit with a large DDoS attack.
> Can you please check if you have flows towards ..
>
> 184.73.22.252 ( Eastern USA, Syn Flood)
> 184.72.3.89 ( Northern California, Syn Flood )
> 184.72.1.208 ( Northern California, UDP/53 Flood )
> 204.236.183.133 ( Nortern California, UDP/53 Flood )
>
> The Syn flood pkt lengths are really nice round numbers (950/850/450/650
> bytes). The majority of the source IPs are associated with China.
>
> The attacks started about 09:54:19UTC this morning and are still ongoing.
>
> If you go have flows towards those IPs, please drop the traffic on the
> floor towards them for a few hours.
>
> Sample srcIPs..
> 4134    | 121.12.168.249   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.170.24    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.170.59    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.174.177   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.174.36    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.106   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.156   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.69    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.70    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.81    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.90    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.93    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 124.232.142.72   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 124.232.143.169  | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 125.64.17.229    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 125.64.34.84     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.22.112.16    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.22.143.25    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.5.203.247    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 221.236.5.136    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 222.85.146.6     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.111    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.239    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.37     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.73     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.191.240.132   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.139.68.1      | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.60.170    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.61.153    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.62.114    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837    | 221.208.255.229  | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 17633   | 58.57.6.88       | CHINATELECOM-SD-AS-AP ASN for Shandong
> Provincial Net of CT
>
>
>
> thanks!
> dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkuOVRkACgkQvMJ1IGjTxcEEPQCgy0Kj2U+C0dMe0AqoKA2wuHlf
> fhEAoKjHXJw4z6YzKikx+oK3DuZ3P428
> =pjIZ
> -----END PGP SIGNATURE-----
>
>
>
> Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration
> number 390566.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list