[nsp-sec] DDOS against .dk-media AS3292
Christoph Sprongl
ch at it-austria.net
Wed Sep 29 13:55:53 EDT 2010
Thx! attached the data i got so far from the victim.
Attack @3292
80.63.11.95
vejleamtsfolkeblad.dk
www.vejleamtsfolkeblad.dk
fredericiadagblad.dk
80.63.11.74
fmweb4.fynskemedier.dk
fredericia-avis.dk
livebook.dk
trekantens-folkeblad.dk
webcity.dk
*.livebook.dk
ch
> I looked at yesterdays netflow towards those ips.
> It is a 44 byte spoofed syn flood towards port 80.
>
> Packets FROM 80.63.11.95 were seen on interfaces that packets towards that
> IP were not traversing (spoofed).
> Several hosts sent resets towards that ip (again spoofed).
> Actual spoofed packets seen were 44 bytes in length.
>
> If they block 44byte syns towards the victims they MAY drop some legit
> traffic but that should relive most of their pain.
>
> Feel free to share this with the victims.
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Christoph Sprongl
>> Sent: Wednesday, September 29, 2010 12:08 AM
>> To: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] DDOS against .dk-media AS3292
>>
>> ----------- nsp-security Confidential --------
>>
>> sorry forget to include AS.. :-(
>>
>> 80.63.11.74 AS3292
>> 80.63.11.95 AS3292
>>
>> ch
>>
>>
>> > Hi all,
>> >
>> > peter a well-known security guy send a request for help regarding a
>> > .dk-media DDOS.
>> > If someone can support him i would appreaciate it :-)
>> >
>> > christoph
>> >
>> >
>> >> Several Danish media sites are targeted with a DDoS attack.
>> >>
>> >> Have any of you observed DDoS activities against IP 80.63.11.95 or
>> >> 80.63.11.74?
>> >>
>> >> The servers are getting hammered with HTTP requests.
>> >>
>> >> A Wireshark dump is attached.
>> >>
>> >> Thanks.
>> >>
>> >> Med venlig hilsen // Kind Regards
>> >>
>> >>
>> >> Peter Kruse
>> >> Partner and Securityspecialist
>> >> CSIS Security Group A/S
>> >> http://www.csis.dk
>> >>
>> >> Vestergade 14 * 8660 Skanderborg * Denmark
>> >> Tel.: +45 8813 6030 * Mobile: +45 2849 0532
>> >> Fax: +45 2817 6030 * Email: pkr at csis.dk
>> >>
>> >> Key-ID: 0x49006F37
>> >>
>> >> Fingerprint: 6675 058F A96F 23A4
>> >> 7940 0ABA 3C89 2413 FC8C 901E
>> >
>> >
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>
> This communication is the property of Qwest and may contain confidential
> or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ddos_dk-media_output.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100929/4ce94a80/attachment-0001.txt>
More information about the nsp-security
mailing list