[nsp-sec] fossil.com HTTP DDos
Rob Thomas
robt at cymru.com
Tue Nov 30 18:22:05 EST 2010
Hey, Lawrence.
> Target IP above is: 131.103.137.114 which is Akamai (on NTT)
Bupkes on this one.
> Bot IP: 86.96.226.85
86.96.226.85 is a Squid 2.5.STABLE14 proxy with a lot of badness behind
it. We see a lot of HTTP bots behind it, for example. There are
connections to a great many HTTP C&Cs, so it's not clear which one (if
any) might be the one behind the attack on 131.103.137.114.
We do see one curious DNS RR pointed to 86.96.226.85, though it's
probably not related to the DDoS.
failaso0of.no-ip.org
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
We just launched our new Training Practice, see
<https://www.team-cymru.com/Services/Training/>
More information about the nsp-security
mailing list