[nsp-sec] Attack against MilNet/DODNic
Smith, Donald
Donald.Smith at qwest.com
Fri Jun 3 14:42:23 EDT 2011
I am sending this to more then one list as a BCC as I don't think all the players needed are on a single list:)
This came into to the handler's list.
The submittor has written in to the list several times in the past and seems like a reasonable person but I don't know him well.
Those of you that want to are welcome to reach out to him via his email address below.
Your also welcome to cc me or not as desired:)
> > Hello,
> > The WinMX P2P network has been undergoing various attacks over the
> > past months. Today that attack was altered to use WinMX as a DDOS
> > amplifier targeting the 7.0.0.0/24 net (MilNet/DODNic)
> >
> > If Sans or anyone can lend us a hand in backtracking these attacks
> > to the source I would be very willing to help. I am very familiar
> > with the interworkings of winmx and the protocol itself (which uses
> > a table encryptor).
> >
> > Please contact me or direct me in the right direction.
> >
> > Thanks,
> > Rod Grimes sabre911 at hotmail.com
> >
> > 10:02:06.222408 IP 205.238.40.2.6699 > 7.41.18.127.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.222422 IP 205.238.40.2.6699 > 7.41.18.128.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.222437 IP 205.238.40.2.6699 > 7.41.18.129.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.291144 IP 205.238.40.2.6699 > 7.41.18.130.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.292629 IP 205.238.40.2.6699 > 7.41.18.131.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.292648 IP 205.238.40.2.6699 > 7.41.18.132.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.292662 IP 205.238.40.2.6699 > 7.41.18.134.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.392642 IP 205.238.40.2.6699 > 7.41.18.135.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.393018 IP 205.238.40.2.6699 > 7.41.18.141.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.393200 IP 205.238.40.2.6699 > 7.41.18.142.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.393383 IP 205.238.40.2.6699 > 7.41.18.143.53: 13107 op8+
> > [b2&3=0x43ee] [38296a] [32139q] [40279n] [10909au][|domain]
> > 10:02:06.408284 IP 205.238.40.2.51862 > 7.16.230.12.25: S
> > 3530905486:3530905486(0) win 65535 <mss 1460,nop,nop,sackOK>
> > 10:02:06.408456 IP 205.238.40.2.49416 > 7.16.230.13.25: S
> > 4039852986:4039852986(0) win 65535 <mss 1460,nop,nop,sackOK>
Sharing: Author's permission required except within your organization.
Donald.Smith at qwest.com
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list