[nsp-sec] [FICORA #505975] Intel on an UDP DoS attack
Jussi Eronen
juhani.eronen at ficora.fi
Wed Apr 13 08:20:24 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
A political website in Finland has been bombarded with UDP love for the
past few days. The parliamentary election is on Sunday, so we're keen to
find out anything on such activity at this time. Details follow:
Sun 10 Apr 18:30-20:30 UTC
various UDP ports as sources and destinations
71.160.166.168 ==> 193.64.245.134
220.85.13.75 ==> 193.64.245.134
Mon 11 Apr 17:40-21:00 UTC
various UDP ports as sources and destinations
70.38.6.69 ==> 193.64.245.134
190.183.59.238 ==> 193.64.245.134
The site was moved to a new IP after the attacks on Monday, but the
problems followed:
Web 13 Apr 07:00- UTC
source UDP ports as shown, various destination ports (2556, 6277, 873,
113, 123, 20, 21)
208.100.28.235:42776/45376 UDP ==> 193.64.245.140
150.86.130.2:64159 UDP == 193.64.245.140
Only four attacker IP:s, but geographically dispersed, and the resulting
traffic saturated the 100Mb line of the customer.
2907 | 150.86.130.2 | 150.86.0.0/16 | JP | SINET-AS
4766 | 220.85.13.75 | 220.80.0.0/13 | KR | KIXS-AS-KR 19262
| 71.160.166.168 | 71.160.0.0/16 | US | VZGNI-TRANSIT
32748 | 208.100.28.235 | 208.100.0.0/19 | US | STEADFAST
The ISP is currently rate-limiting the attack traffic, and the website
is working without major disturbances.
Are you seeing this attack? Is there anything you could tell us about
the source IP:s?
Thanks,
- -Jussi / CERT-FI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2llP0ACgkQb5sSMzb1qN2/GgCfUbj+abTF3/qkT+TEbBYGBJxP
sPsAoKInCk0T/c+ZvxizjUOYfvnRIbBB
=YxBC
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list