[nsp-sec] Proxy ACK for AS5778 & 11398 [DDoS - City of New York]

Smith, Donald Donald.Smith at CenturyLink.com
Mon Aug 22 17:00:10 EDT 2011 

Note those are all mail servers too.
So the theory that this is blow back from a spam run sounds very plausible.
Also NOTE The email address on the cc line belongs to Pär Österberg Medina whom is no longer an nsp-sec member.
That was pointed out early so no trust violation (in my opinion) but just a reminder Par was a member and was vetted and trusted but is not a current member. Par why don't you reapply?



Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a
systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD
Donald.Smith at CenturyLink.com


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Hicks, Howard
> Sent: Monday, August 22, 2011 2:15 PM
> To: 'James J. Barlow'; nsp-security at puck.nether.net
> Cc: pmedina at doitt.nyc.gov
> Subject: Re: [nsp-sec] Proxy ACK for AS5778 & 11398 [DDoS - City of New
> York]
>
> ----------- nsp-security Confidential --------
>
> 5778    | 205.244.202.14   |  63 | webmail4.embarqservices.net |
> EMBARQ-RCMT - Embarq Corporation
> 5778    | 205.244.202.14   |  68 | webmail4.embarqservices.net |
> EMBARQ-RCMT - Embarq Corporation
> 5778    | 205.244.202.14   |  53 | webmail4.embarqservices.net |
> EMBARQ-RCMT - Embarq Corporation
> 11398   | 69.68.102.32     |  3 | nv-69-68-102-32.sta.embarqhsd.net |
> EMBARQ-LVGS - Embarq Corporation
> 5778    | 205.244.202.14   |  60 | webmail4.embarqservices.net |
> EMBARQ-RCMT - Embarq Corporation
> 11398   | 69.68.102.32     |  4 | nv-69-68-102-32.sta.embarqhsd.net |
> EMBARQ-LVGS - Embarq Corporation
> --
>
> Howard Hicks
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> > bounces at puck.nether.net] On Behalf Of James J. Barlow
> > Sent: Monday, August 22, 2011 12:38 PM
> > To: nsp-security at puck.nether.net
> > Cc: pmedina at doitt.nyc.gov
> > Subject: [nsp-sec] [DDoS - City of New York]
> >
> > ----------- nsp-security Confidential --------
> >
> > Forwarding this for a colleague who used to be in nsp-sec regarding a
> > DDoS that is hitting his employers site.
> >
> >
> > ----- Forwarded message from "Medina, Par (Consultant)"
> > <pmedina at doitt.nyc.gov> -----
> >
> > Hello nsp-sec,
> >
> > This is Pär Österberg Medina, used to work for Sitic/CERT-SE but have
> > now moved to the US, currently working at the City of New York.
> >
> > The domain nyc.gov is currently being the target of a DDoS attack.
> The
> > attack consist of connection omn TCP port 25 towards our mail
> servers,
> > vwall{1,2,3,4}.nyc.gov. Attached are four files with offending IPs
> > collected during the time 07:20 to 09:15 (UTC-4) last Friday 8/19/11.
> >
> > Please pass along any information you can regarding the Botnet that
> > is behind this. Samples of the Bot that is being used is also greatly
> > appreciated ;)
> >
> > Kind regards
> > --
> > Pär Österberg Medina
> > Security Operations Center
> > Dept of Information Technology
> > & Telecommunications for
> > City of New York
> > http://www.nyc.gov
> > +1 718-403-8238
> >
> >
> >
> -----
> >
> > --
> > James J. Barlow   <jbarlow at ncsa.illinois.edu>
> > Head of Security Operations and Incident Response
> > National Center for Supercomputing Applications   Office : (217)244-
> 6403
> > 1205 West Clark Street, Urbana, IL  61801           Cell : (217)840-
> 0601
> > http://www.ncsa.illinois.edu/~jbarlow                Fax : (217)244-
> 1987
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> > community. Confidentiality is essential for effective Internet
> security
> > counter-measures.
> > _______________________________________________
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful.  If you have received this
> communication
> in error, please immediately notify the sender by reply e-mail and
> destroy
> all copies of the communication and any attachments.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list