[nsp-sec] ddos against amazon ec2 customer

Smith, Donald Donald.Smith at qwest.com
Wed Mar 3 09:54:14 EST 2010 

Joel, do you also get interface indexes in your netflow?
If so can you check to see if these are coming in the "expected" interface?


(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
Sent: Wednesday, March 03, 2010 7:40 AM
To: Dave Burke
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] ddos against amazon ec2 customer

----------- nsp-security Confidential --------

Hi,

I don't see flows toward them, but I'm seeing flows from one of them (last 5 minutes)

Joel

Calling flowdumper with the following filter:
filter-primitive general-ip
 type ip-address-prefix
 permit 184.73.22.252/32
 permit 184.72.3.89/32
 permit 184.72.1.208/32
 permit 204.236.183.133/32

filter-definition snoopy
 match ip-source-address general-ip
 or
 match ip-destination-address general-ipRunning the following files through the filter:
/hmt/sirius1/netflow/flows/saved//ft-v05.2010-03-03.093000-0500


--------------------------------------------------------------------------------

For all non-ICMP traffic, output is


date time srcip.srcport -> dstip.dstport protocol packets bytes

--------------------------------------------------------------------------------

2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.104.28893 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.110.30429 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.147.39901 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.151.40925 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.152.41181 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.153.41437 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.161.43485 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.187.50141 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.20.7389 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.30.9949 17 1 198
2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.72.20701 17 1 198
2010/03/03 09:29:44 204.236.183.133.53 -> 156.111.77.47.12957 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.161.4480 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.207.16256 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.31.36735 17 1 198
2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.53.42367 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.180.9344 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.183.10112 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.242.25216 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.37.38271 17 1 198
2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.51.41855 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.132.36121 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.208.55577 17 1 198
2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.64.18713 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.138.38053 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.221.59301 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.233.62373 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.239.63909 17 1 198
2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.58.17573 17 1 198


--On Wednesday, March 03, 2010 12:24 PM +0000 Dave Burke <dave at amazon.com> wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> We currently have a customer getting hit with a large DDoS attack.
> Can you please check if you have flows towards ..
>
> 184.73.22.252 ( Eastern USA, Syn Flood)
> 184.72.3.89 ( Northern California, Syn Flood )
> 184.72.1.208 ( Northern California, UDP/53 Flood )
> 204.236.183.133 ( Nortern California, UDP/53 Flood )
>
> The Syn flood pkt lengths are really nice round numbers (950/850/450/650
> bytes). The majority of the source IPs are associated with China.
>
> The attacks started about 09:54:19UTC this morning and are still ongoing.
>
> If you go have flows towards those IPs, please drop the traffic on the
> floor towards them for a few hours.
>
> Sample srcIPs..
> 4134    | 121.12.168.249   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.170.24    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.170.59    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.174.177   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 121.12.174.36    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.106   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.156   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.69    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.70    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.81    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.90    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 122.224.33.93    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 124.232.142.72   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 124.232.143.169  | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 125.64.17.229    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 125.64.34.84     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.22.112.16    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.22.143.25    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 218.5.203.247    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 221.236.5.136    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 222.85.146.6     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.111    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.239    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.37     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.169.10.73     | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.191.240.132   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.139.68.1      | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.60.170    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.61.153    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 61.191.62.114    | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837    | 221.208.255.229  | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 17633   | 58.57.6.88       | CHINATELECOM-SD-AS-AP ASN for Shandong
> Provincial Net of CT
>
>
>
> thanks!
> dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkuOVRkACgkQvMJ1IGjTxcEEPQCgy0Kj2U+C0dMe0AqoKA2wuHlf
> fhEAoKjHXJw4z6YzKikx+oK3DuZ3P428
> =pjIZ
> -----END PGP SIGNATURE-----
>
>
>
> Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration
> number 390566.
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list