[nsp-sec] fossil.com HTTP DDos
Lawrence Baldwin
baldwinl at mynetwatchman.com
Tue Nov 30 17:23:32 EST 2010
50,000 PPS of HTTP traffic like this from a couple hundred bots all over
the place:
[30/Nov/2010:06:26:30 --0600] TPTtdgoeTkoADpCcimkAAAAJ 131.103.137.114
--00001eb9-B--
GET /en_US/shop/men.html?N=0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.0
Cookie: JSESSIONID=0000E9AuAIkPNidgDvSAwc2xduw:12i7hr07p; WC_PERSISTEN
X-BlueCoat-Via: 5F7C36A236599B5A
True-Client-IP: 86.96.226.85
Pragma: no-cache
X-Akamai-CONFIG-LOG-DETAIL: true
TE: chunked;q=1.0
Connection: TE, keep-alive
Accept-Encoding: gzip
Akamai-Origin-Hop: 2
Via: 1.1 v1-akamaitech.net(ghost) (AkamaiGHost), 1.1 akamai.net(ghost)
X-Forwarded-For: 217.165.162.86, 86.96.226.85, 88.221.217.151
Host: www.fossil.com
Cache-Control: no-cache, max-age=0
Target IP above is: 131.103.137.114 which is Akamai (on NTT)
Bot IP: 86.96.226.85
[Querying whois.pwhois.org]
[whois.pwhois.org]
IP: 86.96.226.85
Origin-AS: 5384
Prefix: 86.96.226.0/24
AS-Path: 6939 8966 5384
AS-Org-Name: Emirates Internet
Org-Name: Emirates Telecommunications Corporation
Net-Name: EMIRNET-EMIRNET
Cache-Date: 1291092186
Latitude: 25.230000
Longitude: 55.280000
City: DUBAI
Region: DUBAI
Country: UNITED ARAB EMIRATES
I'm working on a full list of IPs...
Anyone seeing this? Possible C&C?
--
Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Atlanta, GA
+1.678.624.0924
More information about the nsp-security
mailing list