[nsp-sec] DDoS aimed at 178.251.233.35
sthaug at nethelp.no
sthaug at nethelp.no
Wed Dec 7 01:05:12 EST 2011
> We are filtering about 4Gbps of attack traffic destined for 178.251.233.35 over various ingress paths.
>
> It is a UDP flood against port 27660.
>
> Our flow stats show the following sources, though I have not yet checked if these are spoofed (a quick look suggests at least not all are). Any help in picking up this traffic on your side and filtering/removing it would be appreciated.
The traffic from the 2116 host seems to have stopped at around 03:40
UTC, according to our netflow data. However - the netflow data also
suggests that this is not a typical attack in that you have significant
traffic both ways, e.g. (times in UTC+2):
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
1207.04:08:46.012 1207.04:08:53.234 340 213.52.31.22 28960 330 178.251.233.35 27660 17 0 4 1924
1207.04:08:51.549 1207.04:09:23.332 156 178.251.233.35 27660 922 213.52.31.22 28960 17 0 10 430
1207.04:08:58.654 1207.04:09:53.313 340 213.52.31.22 28960 330 178.251.233.35 27660 17 0 25 12025
1207.04:09:28.495 1207.04:10:25.365 156 178.251.233.35 27660 922 213.52.31.22 28960 17 0 11 473
1207.04:10:02.985 1207.04:10:56.133 340 213.52.31.22 28960 330 178.251.233.35 27660 17 0 16 7696
1207.04:10:28.419 1207.04:11:26.388 156 178.251.233.35 27660 922 213.52.31.22 28960 17 0 15 645
1207.04:10:58.499 1207.04:11:54.062 340 213.52.31.22 28960 330 178.251.233.35 27660 17 0 9 4329
1207.04:11:27.572 1207.04:12:26.721 156 178.251.233.35 27660 922 213.52.31.22 28960 17 0 15 645
1207.04:12:00.738 1207.04:12:57.716 340 213.52.31.22 28960 330 178.251.233.35 27660 17 0 15 7215
1207.04:12:30.546 1207.04:13:26.272 156 178.251.233.35 27660 922 213.52.31.22 28960 17 0 23 989
It's hard for me to classify this as an attack.
Steinar Haug, AS 2116
More information about the nsp-security
mailing list