[nsp-sec] UDP love against AS5539
sthaug at nethelp.no
sthaug at nethelp.no
Fri Dec 23 09:44:59 EST 2011
> > So, what I'd like you to do is to check your telemetry for flows
> > to
> > dst ip = 194.97.147.57
> > proto = udp
> > dst port = 27660
> >
> > ... if you see any of this, it's not legit. This is a web server, it has
> > nothing but tcp/80 and tcp/443.
>
> 1&1 reported back that they frequenty saw 79.96.6.110 in dumping traffic
> from their offenders (no additional specifics), so if you investigate
> offenders on your network, please check whether you see traffic to that
> IP as well - might be the C&C server.
I see traffic between the AS 2116 host participating in the attack,
and 79.96.6.110. This traffic started at approximately the same time
as the attack traffic.
However, investigating more closely it seems much more likely that
79.96.6.110 is a *target* itself. Right now I see queries from
79.96.6.110 for ANY ripe.net - which result in nice big answers with
RRSIG, DNSKEY etc. So presumably the queries from 79.96.6.110 are
spoofed, and 79.96.6.110 is a victim. (It is of course possible that
it is both a victim and a C&C.)
Steinar Haug, AS 2116
More information about the nsp-security
mailing list