[nsp-sec] comcast?

Rob Thomas robt at cymru.com
Tue Dec 20 21:38:15 EST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, team.

>> Seems I'm suffering from a>  15Gbps DDoS (UDP/161 traffic).
>> According tot our flows it is coming from AS 7922 (comcast).

We're seeing the same.  At present here are the top sources by ASN, with
the Srcips count being the unique IP addresses we've seen in that ASN.

 Srcips ASN       AS Name
 267563 3352      TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
   4991 33491     COMCAST-33491 - Comcast Cable Communications, Inc.
   4905 33287     COMCAST-33287 - Comcast Cable Communications, Inc.
   4890 33652     CMCS - Comcast Cable Communications, Inc.
   3953 33651     CMCS - Comcast Cable Communications, Inc.
   3715 33490     COMCAST-33490 - Comcast Cable Communications, Inc.
   3196 33668     CMCS - Comcast Cable Communications, Inc.
   2797 33650     COMCAST-33650 - Comcast Cable Communications, Inc.
   2785 33657     CMCS - Comcast Cable Communications, Inc.
   2713 7015      COMCAST-7015 - Comcast Cable Communications Holdings, Inc
   2706 7725      COMCAST-7725 - Comcast Cable Communications Holdings, Inc
   1855 20214     COMCAST-20214 - Comcast Cable Communications Holdings, Inc
   1300 33662     CMCS - Comcast Cable Communications, Inc.
   1226 7016      CCCH-3 - Comcast Cable Communications Holdings, Inc
   1200 13367     COMCAST-13367 - Comcast Cable Communications Holdings, Inc
   1124 33660     CMCS - Comcast Cable Communications, Inc.
    850 21508     COMCAST-21508 - Comcast Cable Communications Holdings, Inc
    582 22258     COMCAST-22258 - Comcast Cable Communications Holdings, Inc
    559 33654     CMCS - Comcast Cable Communications, Inc.
    531 33661     CMCS - Comcast Cable Communications, Inc.
    527 33489     COMCAST-33489 - Comcast Cable Communications, Inc.
    449 812       ROGERS-CABLE - Rogers Cable Communications Inc.
    289 33653     CMCS - Comcast Cable Communications, Inc.
    232 7922      COMCAST-7922 - Comcast Cable Communications, Inc.
    199 33656     CMCS - Comcast Cable Communications, Inc.
    145 33655     CMCS - Comcast Cable Communications, Inc.
    135 46853     SWTEXAS - Southwest Texas Telephone Company
    124 3269      ASN-IBSNAZ Telecom Italia S.p.a.
     85 33665     CMCS - Comcast Cable Communications, Inc.
     82 33666     CMCS - Comcast Cable Communications, Inc.
     80 5778      EMBARQ-RCMT - Embarq Corporation

Comcast and Telefonica, you've got amplification!  :)  Hit me up for a
full list of the source IP addresses.

We'll try to push out a full list of attackers as soon as we can.

> guessing this is more snmp reflective dos... and like CPE/modems
> bouncing back 'sys.Descr.0' or the like :(

We're working on determining that now.

Thanks,
Rob.
- --
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBTvFGl1kX3QAo5sgJAQIGNQP8Dl5yW9jaJj/v4G50UVs4hpKAm1Uztg50
Ehxfy5NkS20rQF2GkWICt5OAPcepF45Q6J/P6B2hzeePowMaxje+xy0f9whcTvkE
MB8VwGF3RhKVOeuTC53mO4tRALAKXf+y3T1fFLOvPZINOD8E3xblc8mYD9ySXPYa
xkDkGzhTFms=
=6UQG
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list