[nsp-sec] skunkx bots - sinkhole data

Serge Droz serge.droz at switch.ch
Wed Apr 27 03:14:59 EDT 2011 

ACK
Reported ASNs: 6830, 6730, 559, 15547, 1257

Serge

On 26/4/11 21:14, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
> 
> past 24h of sinkholing the skunkx ddos bot associated with the domain name "imageshak.biz". you can read about it here:
> 
> 	http://asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/
> 
> total uniq IPs seen in the past day:   28732
> top ASNs by count:
> 7559 AS45595    |  PKTELECOM-AS-PK Pakistan Telecom Company Limited
> 2772 AS9829     |  BSNL-NIB National Internet Backbone
> 1880 AS24560    |  AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
>  831 AS17813    |  MTNL-AP Mahanagar Telephone Nigam Ltd.
>  787 AS17974    |  TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
>  732 AS17803    |  BSES-AS-AP BSES TeleCom Limited
>  702 AS38264    |  WATEEN-IMS-PK-AS-AP National WiMAX/IMS environment
>  650 AS23693    |  TELKOMSEL-ASN-ID PT. Telekomunikasi Selular
>  600 AS38710    |  WORLDCALL-AS-LHR Worldcall Broadband Limited
>  510 AS55740    |  TATAINDICOM-IN TATA TELESERVICES LTD - TATA INDICOM - CDMA DIVISION
> 
> 
> data enclosed, format is ASN, IP, CC, UTC timestamp of last observation, and network name
> 
> Bulk mode; whois.cymru.com [2011-04-26 19:09:57 +0000]
> NA      | 203.193.142.37   | IN | 1303820354      | NA
> 12      | 128.122.68.176   | US | 1303844808      | NYU-DOMAIN - New York University
> 12      | 128.122.92.104   | US | 1303844807      | NYU-DOMAIN - New York University
> ...
> 
> hope this helps. data may be shared per list conditions with relevant parties for remediation purposes. 
> 
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> http://asert.arbor.net/
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch

More information about the nsp-security mailing list