[nsp-sec] DoS Attack against Level3
Mike Tancsa
mike at sentex.net
Thu Jul 21 15:43:35 EDT 2011
On 7/21/2011 2:56 PM, Wentworth, Brett wrote:
> Yes, this was a DNS focused attack. Very distributed from what we can tell, and a lot from Asia.
>
> If you have the ability to look at any of the host for botnet behavior, where the C&C is etc, that would be great.
The hosts in question are behind a large customer with many internal
endpoints unfortunately and they generate a lot of traffic. I will
spend a few cycles to look at the traffic flows just before the attack
started to see if anything odd/interesting pops up. If you have any
suggestions on what to look for give me a shout off list and I will be
happy to take a look
---Mike
>
>
> Thank you,
>
> Brett Wentworth
> Director - Global Security
> Level 3 Communications, LLC
> Brett.wentworth at level3.com
> 720-888-9462
>
>
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Mike Tancsa
> Sent: Thursday, July 21, 2011 12:10 PM
> To: Janish, Nathan
> Cc: 'NSP-SEC List'
> Subject: Re: [nsp-sec] DoS Attack against Level3
>
> ----------- nsp-security Confidential --------
>
> On 7/21/2011 11:09 AM, Janish, Nathan wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hello Everyone,
>>
>> We are currently experiencing a DoS attack and would appreciate the assistance of anyone who could possibly provide us with some of their netflows.
>
>
> Just a bit of what appears to be normal DNS flows now, but there seems to have been an unusual burst of activity from one of our customer networks from 07:38 (GMT-400) to 08:56. I can make further inquiries if you think there might be benefit ? Was the attack DNS focused ?
>
>
> % racluster -L0 -m matrix -nr leve3-attack.arg
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 07-20 21:43:37.678 e ip 204.225.48.34 <-> 205.128.90.51 4 765 CON
> 07-21 06:05:21.699 e ip 199.212.134.12 -> 205.128.90.51 16 1367 INT
> 07-21 07:38:57.926 M ip 192.221.69.45 <-> 198.235.180.253 228 23426 CON
> 07-21 07:38:58.148 M ip 198.235.181.254 -> 205.128.70.51 150 12871 INT
> 07-21 07:38:58.649 M ip 192.221.69.45 <-> 198.235.181.254 186 19648 CON
> 07-21 07:46:12.053 M ip 198.235.181.254 <-> 206.33.57.51 153 13344 CON
> 07-21 07:46:12.554 M ip 198.235.180.253 <-> 205.128.90.51 135 13242 CON
> 07-21 07:46:12.554 M ip 192.221.72.51 <-> 198.235.181.254 195 17536 CON
> 07-21 07:46:13.055 M ip 192.221.72.51 <-> 198.235.180.253 153 14223 CON
> 07-21 07:46:13.055 M ip 198.235.181.254 <-> 205.128.90.51 186 16876 CON
> 07-21 07:46:13.557 M ip 4.23.54.51 <-> 198.235.181.254 159 14782 CON
> 07-21 08:02:38.633 M ip 4.23.54.51 <-> 198.235.180.253 195 17005 CON
> 07-21 08:02:39.133 M ip 198.235.180.253 <-> 205.128.70.51 186 17083 CON
> 07-21 08:02:39.634 M ip 198.235.180.253 <-> 206.33.57.51 162 14199 CON
> 07-21 08:13:33.200 e ip 199.212.134.12 -> 205.128.70.51 15 1283 INT
> 07-21 08:13:33.219 e ip 192.221.72.51 <- 199.212.134.12 21 1781 RSP
> 07-21 08:13:34.002 e ip 199.212.134.12 -> 206.33.57.51 19 1594 INT
> 07-21 08:13:34.020 e ip 4.23.54.51 <- 199.212.134.12 17 1442 RSP
> 07-21 08:13:34.804 e ip 192.221.69.45 <- 199.212.134.12 20 1683 RSP
> 07-21 08:35:05.869 e ip 64.7.150.22 <-> 192.221.69.45 2 427 CON
> 07-21 08:47:32.850 M ip 64.7.140.187 -> 205.128.90.51 3 275 INT
> 07-21 08:47:36.808 M ip 64.7.140.187 -> 205.128.70.51 6 550 INT
> 07-21 08:47:40.808 M ip 4.23.54.51 <- 64.7.140.187 12 1100 RSP
> 07-21 08:47:40.808 M ip 64.7.140.187 <-> 192.221.72.51 9 1506 CON
> 07-21 08:47:44.808 M ip 64.7.140.187 -> 192.221.69.45 6 550 INT
> 07-21 08:47:44.808 M ip 64.7.140.187 -> 206.33.57.51 3 275 INT
> 07-21 08:56:15.715 M ip 198.235.180.210 -> 205.128.70.51 3 281 INT
> 07-21 08:56:16.216 M ip 192.221.69.45 <- 198.235.180.210 3 281 RSP
> 07-21 08:56:16.717 M ip 4.23.54.51 <- 198.235.180.210 3 281 RSP
> 07-21 08:56:16.835 M ip 198.235.180.200 -> 205.128.70.51 63 5325 INT
> 07-21 08:56:17.218 M ip 198.235.180.210 -> 205.128.90.51 3 281 INT
> 07-21 08:56:17.641 M ip 192.221.72.51 <-> 198.235.180.200 75 6986 CON
> 07-21 08:56:17.719 M ip 192.221.72.51 <- 198.235.180.210 3 248 RSP
> 07-21 08:56:18.220 M ip 198.235.180.210 -> 206.33.57.51 3 248 INT
> 07-21 08:56:18.449 M ip 198.235.180.200 -> 206.33.57.51 69 5809 INT
> 07-21 08:56:19.257 M ip 198.235.180.200 -> 205.128.90.51 72 6051 INT
> 07-21 08:56:20.065 M ip 192.221.69.45 <- 198.235.180.200 69 5803 RSP
> 07-21 08:56:20.873 M ip 4.23.54.51 <- 198.235.180.200 66 5567 RSP
> 07-21 10:00:19.039 e ip 192.221.72.51 <-> 199.212.134.18 2 425 CON
>
>
> ---Mike
>
>>
>> Destinations that are currently being attacked are,
>>
>> 192.221.69.45
>> 192.221.72.51
>> 205.128.90.51
>> 4.23.54.51
>> 205.128.70.51
>> 206.33.57.51
>> 199.93.56.51
>>
>> Thanks in Advance,
>>
>> Nathan Janish
>> Level3 Communications
>> Manager, Network Security
>> 720.888.3350
>> nathan.janish at level3.com<mailto:nathan.janish at level3.com>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list