[nsp-sec] 1Mpps UDP/53 attack against AS1741

Pekka Savola pekkas at netcore.fi
Fri Nov 26 10:41:42 EST 2010 

Hello,

Today we got two about 0.5 hour ~1Mpps UDP/53 38-43B attacks which 
were almost exclusively directed at our and our customer's router 
backbone IPs (130.233.231.226, 109.105.102.66). The main target 
appears to have been a system at customer site.  The attack itself did 
not have noticeable impact on infrastructure.

In case the IP owners want to check the source IPs, these are below. 
Each contributed over 10M packets, the biggest 131.2M packets.

These could have been spoofed, but at least not randomly, given the 
low number of source IPs. In the info column, the time is UTC (the 
starting time) and the last number is the number of packets.

AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | Info                            | AS Name
27      | 129.2.124.14     | 129.2.0.0/16        | US | arin     | 1988-03-09 | 2010-11-26 08:01:49.874 14.6 M | UMDNET - University of Maryland at College Park
27      | 129.2.124.18     | 129.2.0.0/16        | US | arin     | 1988-03-09 | 2010-11-26 08:07:26.593 22.9 M | UMDNET - University of Maryland at College Park
2497    | 219.111.20.197   | 219.111.0.0/17      | JP | apnic    | 2002-03-07 | 2010-11-26 07:30:27.324 16.7 M | IIJ Internet Initiative Japan Inc.
3265    | 82.94.213.187    | 82.92.0.0/14        | NL | ripencc  | 2003-11-25 | 2010-11-26 07:30:26.429 40.5 M | XS4ALL-NL XS4ALL
8685    | 212.58.8.120     | 212.58.0.0/19       | TR | ripencc  | 1998-03-11 | 2010-11-26 07:30:26.415 82.1 M | DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.
12127   | 190.57.64.22     | 190.57.64.0/20      | SV | lacnic   | 2006-05-10 | 2010-11-26 07:30:26.672 131.2 M | Telefonica Moviles El Salvador S.A. de C.V.
14618   | 184.73.63.85     | 184.73.0.0/16       | US | arin     | 2010-01-26 | 2010-11-26 07:30:26.511 40.0 M | AMAZON-AES - Amazon.com, Inc.
15440   | 77.241.199.130   | 77.241.192.0/20     | LT | ripencc  | 2007-02-14 | 2010-11-26 07:30:26.946 14.1 M | AS15440 Baltnetos komunikacijos Autonomous System
15440   | 77.241.199.153   | 77.241.192.0/20     | LT | ripencc  | 2007-02-14 | 2010-11-26 07:30:26.901 10.3 M | AS15440 Baltnetos komunikacijos Autonomous System
15440   | 77.241.199.164   | 77.241.192.0/20     | LT | ripencc  | 2007-02-14 | 2010-11-26 07:30:26.986 54.3 M | AS15440 Baltnetos komunikacijos Autonomous System
16371   | 77.240.118.46    | 77.240.112.0/20     | ES | ripencc  | 2007-01-11 | 2010-11-26 07:30:26.949 106.4 M | ACENS_AS acens technologies
18779   | 205.185.126.153  | 205.185.112.0/20    | CA | arin     | 2010-09-03 | 2010-11-26 07:30:27.325 58.0 M | EGIHOSTING - EGIHosting
30968   | 77.221.155.130   | 77.221.128.0/19     | RU | ripencc  | 2007-03-30 | 2010-11-26 07:30:26.455 72.3 M | INFOBOX-AS Infobox.ru Autonomous System
35332   | 77.242.123.50    | 77.242.112.0/20     | NL | ripencc  | 2007-03-01 | 2010-11-26 07:30:26.467 15.8 M | DATAWEB DataWeb B.V. - The Netherlands
39582   | 89.106.2.250     | 89.106.0.0/19       | TR | ripencc  | 2006-03-21 | 2010-11-26 07:30:27.037 117.3 M | GRID Grid Bilisim Teknolojileri A.S.

More information about the nsp-security mailing list