[nsp-sec] DoS Attack against Level3
Mike Tancsa
mike at sentex.net
Thu Jul 21 14:10:05 EDT 2011
On 7/21/2011 11:09 AM, Janish, Nathan wrote:
> ----------- nsp-security Confidential --------
>
> Hello Everyone,
>
> We are currently experiencing a DoS attack and would appreciate the assistance of anyone who could possibly provide us with some of their netflows.
Just a bit of what appears to be normal DNS flows now, but there seems to have been an unusual burst of activity from one of our customer networks from 07:38 (GMT-400) to 08:56. I can make further inquiries if you think there might be benefit ? Was the attack DNS focused ?
% racluster -L0 -m matrix -nr leve3-attack.arg
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
07-20 21:43:37.678 e ip 204.225.48.34 <-> 205.128.90.51 4 765 CON
07-21 06:05:21.699 e ip 199.212.134.12 -> 205.128.90.51 16 1367 INT
07-21 07:38:57.926 M ip 192.221.69.45 <-> 198.235.180.253 228 23426 CON
07-21 07:38:58.148 M ip 198.235.181.254 -> 205.128.70.51 150 12871 INT
07-21 07:38:58.649 M ip 192.221.69.45 <-> 198.235.181.254 186 19648 CON
07-21 07:46:12.053 M ip 198.235.181.254 <-> 206.33.57.51 153 13344 CON
07-21 07:46:12.554 M ip 198.235.180.253 <-> 205.128.90.51 135 13242 CON
07-21 07:46:12.554 M ip 192.221.72.51 <-> 198.235.181.254 195 17536 CON
07-21 07:46:13.055 M ip 192.221.72.51 <-> 198.235.180.253 153 14223 CON
07-21 07:46:13.055 M ip 198.235.181.254 <-> 205.128.90.51 186 16876 CON
07-21 07:46:13.557 M ip 4.23.54.51 <-> 198.235.181.254 159 14782 CON
07-21 08:02:38.633 M ip 4.23.54.51 <-> 198.235.180.253 195 17005 CON
07-21 08:02:39.133 M ip 198.235.180.253 <-> 205.128.70.51 186 17083 CON
07-21 08:02:39.634 M ip 198.235.180.253 <-> 206.33.57.51 162 14199 CON
07-21 08:13:33.200 e ip 199.212.134.12 -> 205.128.70.51 15 1283 INT
07-21 08:13:33.219 e ip 192.221.72.51 <- 199.212.134.12 21 1781 RSP
07-21 08:13:34.002 e ip 199.212.134.12 -> 206.33.57.51 19 1594 INT
07-21 08:13:34.020 e ip 4.23.54.51 <- 199.212.134.12 17 1442 RSP
07-21 08:13:34.804 e ip 192.221.69.45 <- 199.212.134.12 20 1683 RSP
07-21 08:35:05.869 e ip 64.7.150.22 <-> 192.221.69.45 2 427 CON
07-21 08:47:32.850 M ip 64.7.140.187 -> 205.128.90.51 3 275 INT
07-21 08:47:36.808 M ip 64.7.140.187 -> 205.128.70.51 6 550 INT
07-21 08:47:40.808 M ip 4.23.54.51 <- 64.7.140.187 12 1100 RSP
07-21 08:47:40.808 M ip 64.7.140.187 <-> 192.221.72.51 9 1506 CON
07-21 08:47:44.808 M ip 64.7.140.187 -> 192.221.69.45 6 550 INT
07-21 08:47:44.808 M ip 64.7.140.187 -> 206.33.57.51 3 275 INT
07-21 08:56:15.715 M ip 198.235.180.210 -> 205.128.70.51 3 281 INT
07-21 08:56:16.216 M ip 192.221.69.45 <- 198.235.180.210 3 281 RSP
07-21 08:56:16.717 M ip 4.23.54.51 <- 198.235.180.210 3 281 RSP
07-21 08:56:16.835 M ip 198.235.180.200 -> 205.128.70.51 63 5325 INT
07-21 08:56:17.218 M ip 198.235.180.210 -> 205.128.90.51 3 281 INT
07-21 08:56:17.641 M ip 192.221.72.51 <-> 198.235.180.200 75 6986 CON
07-21 08:56:17.719 M ip 192.221.72.51 <- 198.235.180.210 3 248 RSP
07-21 08:56:18.220 M ip 198.235.180.210 -> 206.33.57.51 3 248 INT
07-21 08:56:18.449 M ip 198.235.180.200 -> 206.33.57.51 69 5809 INT
07-21 08:56:19.257 M ip 198.235.180.200 -> 205.128.90.51 72 6051 INT
07-21 08:56:20.065 M ip 192.221.69.45 <- 198.235.180.200 69 5803 RSP
07-21 08:56:20.873 M ip 4.23.54.51 <- 198.235.180.200 66 5567 RSP
07-21 10:00:19.039 e ip 192.221.72.51 <-> 199.212.134.18 2 425 CON
---Mike
>
> Destinations that are currently being attacked are,
>
> 192.221.69.45
> 192.221.72.51
> 205.128.90.51
> 4.23.54.51
> 205.128.70.51
> 206.33.57.51
> 199.93.56.51
>
> Thanks in Advance,
>
> Nathan Janish
> Level3 Communications
> Manager, Network Security
> 720.888.3350
> nathan.janish at level3.com<mailto:nathan.janish at level3.com>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list