[nsp-sec] DOS C&C by ICMP - any ideas on the infection?
Rob Thomas
robt at cymru.com
Fri Dec 23 10:25:02 EST 2011
Hey, James.
> Netflow data shows there was an ICMP Echo Reply to the attack machine
> purporting to be from the victim machine immediately before the flood, I
> assume this is the command to start the flood - either spoofed to be
> from the victim, or a genuine echo reply from the victim to the attacker
> in response to a spoofed echo request. I've seen this before, but I
> can't track down what was concluded at the time. :/
It appears that 93.114.41.155 was involved in some Romanian miscreant
activity at least back to 2011-05 UTC. That might explain an attack
against it.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
More information about the nsp-security
mailing list