[nsp-sec] DDOS against .dk-media AS3292

Smith, Donald Donald.Smith at qwest.com
Wed Sep 29 16:19:28 EDT 2010 

The ID field is fixed (257) for the packets I looked at in the pcap.
So if they have something that can drop based on the IP ID field that should relieve their pain completely:)
If any router vendors are listening acls / filters that allow you to filter on fields that are often fixed in flooding tools would be a REALLY GOOD IDEA:)


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: Christoph Sprongl [mailto:ch at it-austria.net]
> Sent: Wednesday, September 29, 2010 11:56 AM
> To: Smith, Donald; robt at cymru.com
> Cc: nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] DDOS against .dk-media AS3292
>
> Thx! attached the data i got so far from the victim.
>
> Attack @3292
> 80.63.11.95
> vejleamtsfolkeblad.dk
> www.vejleamtsfolkeblad.dk
> fredericiadagblad.dk
> 80.63.11.74
> fmweb4.fynskemedier.dk
> fredericia-avis.dk
> livebook.dk
> trekantens-folkeblad.dk
> webcity.dk
> *.livebook.dk
>
> ch
>
>
> > I looked at yesterdays netflow towards those ips.
> > It is a 44 byte spoofed syn flood towards port 80.
> >
> > Packets FROM 80.63.11.95 were seen on interfaces that
> packets towards that
> > IP were not traversing (spoofed).
> > Several hosts sent resets towards that ip (again spoofed).
> > Actual spoofed packets seen were 44 bytes in length.
> >
> > If they block 44byte syns towards the victims they MAY drop
> some legit
> > traffic but that should relive most of their pain.
> >
> > Feel free to share this with the victims.
> >
> >
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith at qwest.com gcia
> >
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >> Christoph Sprongl
> >> Sent: Wednesday, September 29, 2010 12:08 AM
> >> To: nsp-security at puck.nether.net
> >> Subject: Re: [nsp-sec] DDOS against .dk-media AS3292
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >> sorry forget to include AS.. :-(
> >>
> >> 80.63.11.74 AS3292
> >> 80.63.11.95 AS3292
> >>
> >> ch
> >>
> >>
> >> > Hi all,
> >> >
> >> > peter a well-known security guy send a request for help
> regarding a
> >> > .dk-media DDOS.
> >> > If someone can support him i would appreaciate it :-)
> >> >
> >> > christoph
> >> >
> >> >
> >> >> Several Danish media sites are targeted with a DDoS attack.
> >> >>
> >> >> Have any of you observed DDoS activities against IP
> 80.63.11.95 or
> >> >> 80.63.11.74?
> >> >>
> >> >> The servers are getting hammered with HTTP requests.
> >> >>
> >> >> A Wireshark dump is attached.
> >> >>
> >> >> Thanks.
> >> >>
> >> >> Med venlig hilsen // Kind Regards
> >> >>
> >> >>
> >> >> Peter Kruse
> >> >> Partner and Securityspecialist
> >> >> CSIS Security Group A/S
> >> >> http://www.csis.dk
> >> >>
> >> >> Vestergade 14 * 8660 Skanderborg * Denmark
> >> >> Tel.: +45 8813 6030 * Mobile: +45 2849 0532
> >> >> Fax: +45 2817 6030 * Email: pkr at csis.dk
> >> >>
> >> >> Key-ID: 0x49006F37
> >> >>
> >> >> Fingerprint: 6675 058F A96F 23A4
> >> >> 7940  0ABA 3C89 2413 FC8C 901E
> >> >
> >> >
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the
> >> nsp-security
> >> community. Confidentiality is essential for effective
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
> >
> > This communication is the property of Qwest and may contain
> confidential
> > or
> > privileged information. Unauthorized use of this
> communication is strictly
> > prohibited and may be unlawful.  If you have received this
> communication
> > in error, please immediately notify the sender by reply
> e-mail and destroy
> > all copies of the communication and any attachments.
> >
> >
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list