[nsp-sec] Got traffic to: 213.248.122.152
Danny McPherson
danny at tcb.net
Mon Mar 22 17:50:15 EDT 2010
On 3/22/10 3:35 PM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> There looks to be a spoofed attack (varying types, both syn and udp)
> targeting 213.248.122.152. If you could check your flows and see if you
> have anything that stands out, it would be hugely appreciated.
>
> Past DDoS attacks towards this customer showed all spoofed traffic,
> anything we can do to locate the C2 would be awesome! Please don't block
> traffic to 213.248.122.152 as there are legitimate services.
We've got CC data for this, logged both udp and syn commands (35) since
2010-03-11 17:10:52:
Attack Detail: Attack 3571447
Timestamp 2010-03-17 22:27:57
C&C IP 195.244.8.148
C&C Hostname
C&C Port 1311
C&C ASN 39546
C&C CC UA
C&C Channel #spd
Command URL
Command Given .udp
Target IP 213.248.122.152
Target Hostname
Target ASN 1299
Target CC US
Botnet Details
Hostname 195.244.8.148 (195.244.8.148)
TCP Port 1311
First seen 2009-10-28 07:25:04
First tested 2010-03-17 22:40:35
Active True
....
Timestamp 2010-03-11 17:10:52
C&C IP 195.244.8.148
C&C Hostname
C&C Port 1311
C&C ASN 39546
C&C CC UA
C&C Channel #jb
Command URL
Command Given .syn
Target IP 213.248.122.152
Target Hostname
Target ASN 1299
Target CC US
Botnet Details
Hostname 195.244.8.148 (195.244.8.148)
TCP Port 1311
First seen 2009-10-28 07:25:04
First tested 2010-03-17 22:40:35
Active True
More information about the nsp-security
mailing list