[nsp-sec] DDoS attack - SYN Flood - Target: 209.242.125.24 port 80/TCP
Jose Nazario
jose at arbor.net
Mon Aug 22 11:14:25 EDT 2011
min | max | cc_host | cc_ip
---------------------+---------------------+---------------+-------------
2011-08-17 09:54:10 | 2011-08-17 16:18:45 | globdomain.ru | 91.220.0.20
(1 row)
our old friend. a black energy 1.x botnet, shadowserver had a nice writeup of it. still live. this guy's moved around over the years:
cc_ip | cc_host
----------------+---------------
0.0.0.0 | globdomain.ru
188.95.159.115 | globdomain.ru
193.186.9.61 | globdomain.ru
194.28.112.134 | globdomain.ru
194.28.112.5 | globdomain.ru
194.8.250.201 | globdomain.ru
195.14.112.175 | globdomain.ru
195.54.170.16 | globdomain.ru
46.252.129.156 | globdomain.ru
86.55.210.85 | globdomain.ru
89.187.53.92 | globdomain.ru
91.193.194.161 | globdomain.ru
91.220.0.20 | globdomain.ru
91.220.35.203 | globdomain.ru
94.102.52.158 | globdomain.ru
94.60.123.30 | globdomain.ru
94.60.123.56 | globdomain.ru
(17 rows)
On Aug 19, 2011, at 8:17 PM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Still seeing an active attack, but slowing (brunt of the attack was
> between 0300-0800 EDT today). Target information:
>
> 209.242.125.24 port 80/TCP
>
> 19384 | 209.242.125.24 | GRAMTEL001 - GramTel USA, Inc.
>
>
> PEER_AS | IP | AS Name
> 174 | 209.242.125.24 | COGENT Cogent/PSI
> 30023 | 209.242.125.24 | CBTSCNDC - Cincinnati Bell Technology Solutions
>
>
> Any one seeing a large amount of SYN packets destined to this host
> (possibly spoofed)?
>
> C2 information would be very helpful.
>
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5O/Q0ACgkQi10dJIBjZIDdFQCgpAer611YyqdbH1Wyh6/GzCmD
> 0gAAn3NXFzsD4Mq6dh6De3XLeWtIMVJe
> =RRWM
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
blog: http://asert.arbor.net/
twitter: @arbornetworks
More information about the nsp-security
mailing list