[nsp-sec] DDOS against .dk-media AS3292
Smith, Donald
Donald.Smith at qwest.com
Wed Sep 29 12:52:22 EDT 2010
I looked at yesterdays netflow towards those ips.
It is a 44 byte spoofed syn flood towards port 80.
Packets FROM 80.63.11.95 were seen on interfaces that packets towards that IP were not traversing (spoofed).
Several hosts sent resets towards that ip (again spoofed).
Actual spoofed packets seen were 44 bytes in length.
If they block 44byte syns towards the victims they MAY drop some legit traffic but that should relive most of their pain.
Feel free to share this with the victims.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Christoph Sprongl
> Sent: Wednesday, September 29, 2010 12:08 AM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] DDOS against .dk-media AS3292
>
> ----------- nsp-security Confidential --------
>
> sorry forget to include AS.. :-(
>
> 80.63.11.74 AS3292
> 80.63.11.95 AS3292
>
> ch
>
>
> > Hi all,
> >
> > peter a well-known security guy send a request for help regarding a
> > .dk-media DDOS.
> > If someone can support him i would appreaciate it :-)
> >
> > christoph
> >
> >
> >> Several Danish media sites are targeted with a DDoS attack.
> >>
> >> Have any of you observed DDoS activities against IP 80.63.11.95 or
> >> 80.63.11.74?
> >>
> >> The servers are getting hammered with HTTP requests.
> >>
> >> A Wireshark dump is attached.
> >>
> >> Thanks.
> >>
> >> Med venlig hilsen // Kind Regards
> >>
> >>
> >> Peter Kruse
> >> Partner and Securityspecialist
> >> CSIS Security Group A/S
> >> http://www.csis.dk
> >>
> >> Vestergade 14 * 8660 Skanderborg * Denmark
> >> Tel.: +45 8813 6030 * Mobile: +45 2849 0532
> >> Fax: +45 2817 6030 * Email: pkr at csis.dk
> >>
> >> Key-ID: 0x49006F37
> >>
> >> Fingerprint: 6675 058F A96F 23A4
> >> 7940 0ABA 3C89 2413 FC8C 901E
> >
> >
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list