[nsp-sec] DDOS against some SUNET hosts

Torbjorn.Wictorin at cert.sunet.se Torbjorn.Wictorin at cert.sunet.se
Wed Mar 23 12:42:38 EDT 2011 

hello,

today Feb 24 between about between 10 and 11 UTC,
some hosts on 130.237.157.* where the subject of a
rather heavy ddos attack, a large part thereof against
130.237.157.246, udp ports 8812 and 8818.

Below are the most notable source ip:s. Note of course
that this is UDP, source ip:s could be faked, but hopefully
someone could detect the bot/c&c:

AS        IP                 CY   #pkts
7545    | 203.213.78.8     | AU | 23422           | TPG-INTERNET-AP TPG Internet Pty Ltd
4808    | 123.125.10.194   | CN | 20371           | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
8551    | 62.219.14.159    | IL | 17358           | BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
18101   | 220.227.97.101   | IN | 11335           | RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI
3462    | 210.71.253.74    | TW | 11258           | HINET Data Communication Business Group
7552    | 203.113.137.166  | VN | 11072           | VIETEL-AS-AP Vietel Corporation
1930    | 193.136.19.70    | PT | 8105            | RCCN Rede Ciencia Tecnologia e Sociedade (RCTS)
1659    | 163.24.40.254    | TW | 7025            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
18126   | 115.38.106.152   | JP | 6444            | CTCX Chubu Telecommunications Company, Inc.
17676   | 126.12.13.237    | JP | 5633            | GIGAINFRA Softbank BB Corp.
2497    | 210.138.60.146   | JP | 4379            | IIJ Internet Initiative Japan Inc.
17676   | 126.117.3.253    | JP | 4161            | GIGAINFRA Softbank BB Corp.
21788   | 173.212.233.135  | US | 3900            | NOC - Network Operations Center Inc.
4538    | 210.39.15.246    | CN | 3875            | ERX-CERNET-BKB China Education and Research Network Center
45804   | 203.147.88.6     | IN | 3846            | MEGHBELA-IN MEGHBELA BROADBAND
3450    | 160.36.31.158    | US | 3735            | UTK - The University of Tennessee Health Science Center
19957   | 160.36.31.158    | US | 3735            | TENNESSEE-NET - Bell South
4808    | 202.108.28.119   | CN | 3665            | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
1659    | 120.106.162.4    | TW | 3658            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
38731   | 210.211.108.218  | VN | 3615            | VTDC-AS-VN Vietel - CHT Compamy Ltd
7552    | 125.235.242.21   | VN | 3590            | VIETEL-AS-AP Vietel Corporation
2614    | 193.231.29.55    | RO | 3422            | ROEDUNET Agentia pentru Administrarea Retelei de Informatica pentru Educatie si Cercetare
4713    | 60.32.178.140    | JP | 3407            | OCN NTT Communications Corporation
4713    | 114.160.58.251   | JP | 3293            | OCN NTT Communications Corporation
8721    | 212.31.2.103     | TR | 3255            | Hurriyet
4538    | 202.117.23.253   | CN | 3190            | ERX-CERNET-BKB China Education and Research Network Center
9457    | 125.57.71.39     | KR | 3131            | DREAMX-AS DREAMLINE CO.
8517    | 193.255.197.26   | TR | 3111            | ULAKNET ULAKNET-ASN
376     | 132.208.43.20    | CA | 3037            | RISQ-AS - Reseau Interordinateurs Scientique Quebecois (RISQ)
1659    | 163.22.56.2      | TW | 2988            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
33770   | 41.72.202.210    | KE | 2980            | KDN
9533    | 202.44.39.120    | TH | 2939            | KMITNB-AS-AP King Mongkut_s Institute of Technology North Bangkok
4538    | 202.206.218.79   | CN | 2926            | ERX-CERNET-BKB China Education and Research Network Center
28898   | 62.221.132.182   | BG | 2919            | CABLETEL-AS CableTEL AD
38731   | 115.84.179.212   | VN | 2889            | VTDC-AS-VN Vietel - CHT Compamy Ltd
10430   | 164.116.35.29    | US | 2885            | WA-K20 - Washington State K-20 Telecommunications Network
9121    | 212.156.89.70    | TR | 2856            | TTNET Turk Telekomunikasyon Anonim Sirketi
38038   | 203.194.112.5    | MN | 2834            | SANSAR-INTERNET-AS Sansar-Internet Co.,ltd. Internet Service
1659    | 163.20.68.154    | TW | 2826            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
33871   | 89.250.29.65     | RU | 2808            | NORILSK-TELECOM-AS Norilsk-Telecom Ltd.
12455   | 212.49.85.173    | KE | 2778            | JAMBONET
4837    | 60.208.116.99    | CN | 2772            | CHINA169-BACKBONE CNCGROUP China169 Backbone
376     | 132.208.168.72   | CA | 2740            | RISQ-AS - Reseau Interordinateurs Scientique Quebecois (RISQ)
24086   | 125.214.19.82    | VN | 2735            | ETC-AS-VN Electric Telecommunication Company
55488   | 202.29.4.111     | TH | 2668            | NRRU-AS-AP Nakorn Ratchasima Rajabhat University
4538    | 202.112.117.39   | CN | 2662            | ERX-CERNET-BKB China Education and Research Network Center
1659    | 163.20.120.188   | TW | 2642            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
1659    | 163.13.176.224   | TW | 2625            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
1659    | 210.240.175.128  | TW | 2618            | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center

Torbjörn Wictorin,
SUNet CERT

More information about the nsp-security mailing list