[nsp-sec] ddos against amazon ec2 customer

Joel Rosenblatt joel at columbia.edu
Wed Mar 3 10:41:32 EST 2010 

OK .. I checked on this and the packets are coming from the expected place.

Thanks,
Joel

--On Wednesday, March 03, 2010 10:08 AM -0500 Joel Rosenblatt <joel at columbia.edu> wrote:

> Donald,
>
> I'm have our network people check .. I don't have access to that info .. they should be coming in from Level 3 - I'll let you know as soon as I find out.
>
> Thanks,
> Joel
>
> --On Wednesday, March 03, 2010 7:54 AM -0700 "Smith, Donald" <Donald.Smith at qwest.com> wrote:
>
>> Joel, do you also get interface indexes in your netflow?
>> If so can you check to see if these are coming in the "expected" interface?
>>
>>
>> (coffee != sleep) & (!coffee == sleep)
>>  Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
>> ________________________________
>> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
>> Sent: Wednesday, March 03, 2010 7:40 AM
>> To: Dave Burke
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] ddos against amazon ec2 customer
>>
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> I don't see flows toward them, but I'm seeing flows from one of them (last 5 minutes)
>>
>> Joel
>>
>> Calling flowdumper with the following filter:
>> filter-primitive general-ip
>>  type ip-address-prefix
>>  permit 184.73.22.252/32
>>  permit 184.72.3.89/32
>>  permit 184.72.1.208/32
>>  permit 204.236.183.133/32
>>
>> filter-definition snoopy
>>  match ip-source-address general-ip
>>  or
>>  match ip-destination-address general-ipRunning the following files through the filter:
>> /hmt/sirius1/netflow/flows/saved//ft-v05.2010-03-03.093000-0500
>>
>>
>> --------------------------------------------------------------------------------
>>
>> For all non-ICMP traffic, output is
>>
>>
>> date time srcip.srcport -> dstip.dstport protocol packets bytes
>>
>> --------------------------------------------------------------------------------
>>
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.104.28893 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.110.30429 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.147.39901 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.151.40925 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.152.41181 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.153.41437 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.161.43485 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.187.50141 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.20.7389 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.30.9949 17 1 198
>> 2010/03/03 09:29:24 204.236.183.133.53 -> 156.111.189.72.20701 17 1 198
>> 2010/03/03 09:29:44 204.236.183.133.53 -> 156.111.77.47.12957 17 1 198
>> 2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.161.4480 17 1 198
>> 2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.207.16256 17 1 198
>> 2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.31.36735 17 1 198
>> 2010/03/03 09:29:55 204.236.183.133.53 -> 128.59.154.53.42367 17 1 198
>> 2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.180.9344 17 1 198
>> 2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.183.10112 17 1 198
>> 2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.242.25216 17 1 198
>> 2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.37.38271 17 1 198
>> 2010/03/03 09:29:56 204.236.183.133.53 -> 128.59.154.51.41855 17 1 198
>> 2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.132.36121 17 1 198
>> 2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.208.55577 17 1 198
>> 2010/03/03 09:32:11 204.236.183.133.53 -> 156.111.194.64.18713 17 1 198
>> 2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.138.38053 17 1 198
>> 2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.221.59301 17 1 198
>> 2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.233.62373 17 1 198
>> 2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.239.63909 17 1 198
>> 2010/03/03 09:32:12 204.236.183.133.53 -> 156.111.227.58.17573 17 1 198
>>
>>
>> --On Wednesday, March 03, 2010 12:24 PM +0000 Dave Burke <dave at amazon.com> wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> We currently have a customer getting hit with a large DDoS attack.
>>> Can you please check if you have flows towards ..
>>>
>>> 184.73.22.252 ( Eastern USA, Syn Flood)
>>> 184.72.3.89 ( Northern California, Syn Flood )
>>> 184.72.1.208 ( Northern California, UDP/53 Flood )
>>> 204.236.183.133 ( Nortern California, UDP/53 Flood )
>>>
>>> The Syn flood pkt lengths are really nice round numbers (950/850/450/650
>>> bytes). The majority of the source IPs are associated with China.
>>>
>>> The attacks started about 09:54:19UTC this morning and are still ongoing.
>>>
>>> If you go have flows towards those IPs, please drop the traffic on the
>>> floor towards them for a few hours.
>>>
>>> Sample srcIPs..
>>> 4134    | 121.12.168.249   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 121.12.170.24    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 121.12.170.59    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 121.12.174.177   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 121.12.174.36    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.106   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.156   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.69    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.70    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.81    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.90    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 122.224.33.93    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 124.232.142.72   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 124.232.143.169  | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 125.64.17.229    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 125.64.34.84     | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 218.22.112.16    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 218.22.143.25    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 218.5.203.247    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 221.236.5.136    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 222.85.146.6     | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 60.169.10.111    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 60.169.10.239    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 60.169.10.37     | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 60.169.10.73     | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 60.191.240.132   | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 61.139.68.1      | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 61.191.60.170    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 61.191.61.153    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4134    | 61.191.62.114    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> 4837    | 221.208.255.229  | CHINA169-BACKBONE CNCGROUP China169 Backbone
>>> 17633   | 58.57.6.88       | CHINATELECOM-SD-AS-AP ASN for Shandong
>>> Provincial Net of CT
>>>
>>>
>>>
>>> thanks!
>>> dave
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iEYEARECAAYFAkuOVRkACgkQvMJ1IGjTxcEEPQCgy0Kj2U+C0dMe0AqoKA2wuHlf
>>> fhEAoKjHXJw4z6YzKikx+oK3DuZ3P428
>>> =pjIZ
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>> Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration
>>> number 390566.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>>
>>
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>> ________________________________
>> This communication is the property of Qwest and may contain confidential or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful. If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list