[nsp-sec] DDOS against .dk-media AS3292
Mike Tancsa
mike at sentex.net
Wed Sep 29 13:26:22 EDT 2010
At 12:52 PM 9/29/2010, Smith, Donald wrote:
>----------- nsp-security Confidential --------
>
>I looked at yesterdays netflow towards those ips.
>It is a 44 byte spoofed syn flood towards port 80.
Actually, I looked back yesterday as well and saw the same sort of
stuff. However in my case it was just back scatter of someone
spoofing my IP addresses from outside my network... Just SYN-ACKs
coming in... (GMT-400)
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
2010-09-28 06:17:2
Ne tcp 80.63.11.95.80 ->
199.71.252.54.4333 1 44 SA_
2010-09-28 06:17:5
Ne tcp 80.63.11.95.80 ->
199.85.118.113.21590 1 44 SA_
2010-09-28 06:17:5
Ne tcp 80.63.11.95.80 ->
64.7.147.126.36377 1 44 SA_
2010-09-28
06:18:2 e tcp 80.63.11.95.80 ->
198.73.240.108.32787 1 60 SA_
2010-09-28
06:18:4 e tcp 80.63.11.95.80 ->
198.73.240.224.19238 1 60 SA_
2010-09-28 06:19:2
Ne tcp 80.63.11.95.80 ->
67.43.137.144.54213 1 44 SA_
2010-09-28 06:19:4
Ne tcp 80.63.11.95.80 ->
67.43.133.20.14517 1 44 SA_
2010-09-28 06:21:1
Ne tcp 80.63.11.95.80 ->
206.51.24.100.9735 1 44 SA_
2010-09-28 06:21:4
Ne tcp 80.63.11.95.80 ->
98.159.244.40.25124 1 44 SA_
2010-09-28 06:21:5
Ne tcp 80.63.11.95.80 ->
199.71.252.162.21903 1 44 SA_
2010-09-28 06:22:4
Ne tcp 80.63.11.95.80 ->
67.43.140.120.43450 1 44 SA_
2010-09-28
06:23:0 e tcp 80.63.11.95.80 ->
64.7.134.138.57070 1 60 SA_
2010-09-28 06:23:4
Ne tcp 80.63.11.95.80 ->
206.130.91.77.37117 1 44 SA_
2010-09-28 06:23:4
Ne tcp 80.63.11.95.80 ->
198.73.181.97.54348 1 44 SA_
2010-09-28 06:23:5
Ne tcp 80.63.11.95.80 ->
206.130.91.144.24911 1 44 SA_
2010-09-28 06:24:1
Ne tcp 80.63.11.95.80 ->
199.85.118.77.1925 1 44 SA_
2010-09-28 06:25:4
Ne tcp 80.63.11.95.80 ->
67.43.137.220.14448 1 44 SA_
2010-09-28 06:26:0
Ne tcp 80.63.11.95.80 ->
67.43.136.99.35038 1 44 SA_
---Mike
>Packets FROM 80.63.11.95 were seen on interfaces that packets
>towards that IP were not traversing (spoofed).
>Several hosts sent resets towards that ip (again spoofed).
>Actual spoofed packets seen were 44 bytes in length.
>
>If they block 44byte syns towards the victims they MAY drop some
>legit traffic but that should relive most of their pain.
>
>Feel free to share this with the victims.
>
>
>(coffee != sleep) & (!coffee == sleep)
>Donald.Smith at qwest.com gcia
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > Christoph Sprongl
> > Sent: Wednesday, September 29, 2010 12:08 AM
> > To: nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] DDOS against .dk-media AS3292
> >
> > ----------- nsp-security Confidential --------
> >
> > sorry forget to include AS.. :-(
> >
> > 80.63.11.74 AS3292
> > 80.63.11.95 AS3292
> >
> > ch
> >
> >
> > > Hi all,
> > >
> > > peter a well-known security guy send a request for help regarding a
> > > .dk-media DDOS.
> > > If someone can support him i would appreaciate it :-)
> > >
> > > christoph
> > >
> > >
> > >> Several Danish media sites are targeted with a DDoS attack.
> > >>
> > >> Have any of you observed DDoS activities against IP 80.63.11.95 or
> > >> 80.63.11.74?
> > >>
> > >> The servers are getting hammered with HTTP requests.
> > >>
> > >> A Wireshark dump is attached.
> > >>
> > >> Thanks.
> > >>
> > >> Med venlig hilsen // Kind Regards
> > >>
> > >>
> > >> Peter Kruse
> > >> Partner and Securityspecialist
> > >> CSIS Security Group A/S
> > >> http://www.csis.dk
> > >>
> > >> Vestergade 14 * 8660 Skanderborg * Denmark
> > >> Tel.: +45 8813 6030 * Mobile: +45 2849 0532
> > >> Fax: +45 2817 6030 * Email: pkr at csis.dk
> > >>
> > >> Key-ID: 0x49006F37
> > >>
> > >> Fingerprint: 6675 058F A96F 23A4
> > >> 7940 0ABA 3C89 2413 FC8C 901E
> > >
> > >
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
>
>This communication is the property of Qwest and may contain confidential or
>privileged information. Unauthorized use of this communication is strictly
>prohibited and may be unlawful. If you have received this communication
>in error, please immediately notify the sender by reply e-mail and destroy
>all copies of the communication and any attachments.
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet
>security counter-measures.
>_______________________________________________
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the nsp-security
mailing list