[nsp-sec] DDOS against .dk-media AS3292
Rob Thomas
robt at cymru.com
Wed Sep 29 14:15:35 EDT 2010
Hi, Christoph.
I also see the backscatter from some TCP SYN floods, but nothing tied to
those domains. Sorry. :(
Thanks,
Rob.
On 9/29/10 12:55 PM, Christoph Sprongl wrote:
> Thx! attached the data i got so far from the victim.
>
> Attack @3292
> 80.63.11.95
> vejleamtsfolkeblad.dk
> www.vejleamtsfolkeblad.dk
> fredericiadagblad.dk
> 80.63.11.74
> fmweb4.fynskemedier.dk
> fredericia-avis.dk
> livebook.dk
> trekantens-folkeblad.dk
> webcity.dk
> *.livebook.dk
>
> ch
>
>
>> I looked at yesterdays netflow towards those ips.
>> It is a 44 byte spoofed syn flood towards port 80.
>>
>> Packets FROM 80.63.11.95 were seen on interfaces that packets towards that
>> IP were not traversing (spoofed).
>> Several hosts sent resets towards that ip (again spoofed).
>> Actual spoofed packets seen were 44 bytes in length.
>>
>> If they block 44byte syns towards the victims they MAY drop some legit
>> traffic but that should relive most of their pain.
>>
>> Feel free to share this with the victims.
>>
>>
>> (coffee != sleep) & (!coffee == sleep)
>> Donald.Smith at qwest.com gcia
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>> Christoph Sprongl
>>> Sent: Wednesday, September 29, 2010 12:08 AM
>>> To: nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] DDOS against .dk-media AS3292
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> sorry forget to include AS.. :-(
>>>
>>> 80.63.11.74 AS3292
>>> 80.63.11.95 AS3292
>>>
>>> ch
>>>
>>>
>>>> Hi all,
>>>>
>>>> peter a well-known security guy send a request for help regarding a
>>>> .dk-media DDOS.
>>>> If someone can support him i would appreaciate it :-)
>>>>
>>>> christoph
>>>>
>>>>
>>>>> Several Danish media sites are targeted with a DDoS attack.
>>>>>
>>>>> Have any of you observed DDoS activities against IP 80.63.11.95 or
>>>>> 80.63.11.74?
>>>>>
>>>>> The servers are getting hammered with HTTP requests.
>>>>>
>>>>> A Wireshark dump is attached.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Med venlig hilsen // Kind Regards
>>>>>
>>>>>
>>>>> Peter Kruse
>>>>> Partner and Securityspecialist
>>>>> CSIS Security Group A/S
>>>>> http://www.csis.dk
>>>>>
>>>>> Vestergade 14 * 8660 Skanderborg * Denmark
>>>>> Tel.: +45 8813 6030 * Mobile: +45 2849 0532
>>>>> Fax: +45 2817 6030 * Email: pkr at csis.dk
>>>>>
>>>>> Key-ID: 0x49006F37
>>>>>
>>>>> Fingerprint: 6675 058F A96F 23A4
>>>>> 7940 0ABA 3C89 2413 FC8C 901E
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>> nsp-security
>>> community. Confidentiality is essential for effective
>>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>> This communication is the property of Qwest and may contain confidential
>> or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful. If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>>
>>
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
More information about the nsp-security
mailing list