[nsp-sec] DDoS towards 12.19.225.108
William Salusky
william.salusky at teamaol.com
Tue Nov 1 15:41:44 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I had one user session who appears to have been participating in the
ddos for ~15 minutes but they went offline before I could take a look at
traffic. Based on flow, it looks like the ddos is also hitting
193.23.181.38. With my 1:1000 netflow I see nothing else that helps to
identify a controller. If the user comes back online, I can find it.
itzod.ru. IN A 193.23.181.38
pool.itzod.ru. IN A 193.23.181.38
anatolymik.itzod.ru. IN A 193.23.181.38
inf-it.ru. IN A 193.23.181.38
brandopt.ru. IN A 193.23.181.38
mail.brandopt.ru. IN A 193.23.181.38
www.china-e-trade.ru. IN A 193.23.181.38
trackservices.ws. IN A 193.23.181.38
www.trackservices.ws. IN A 193.23.181.38
secretsline.biz. IN A 193.23.181.38 <= Target ????
o2epc.com. IN A 193.23.181.38
lizmovies.com. IN A 193.23.181.38
www.lizmovies.com. IN A 193.23.181.38
mollygays.com. IN A 193.23.181.38
www.mollygays.com. IN A 193.23.181.38
tovarcash.com. IN A 193.23.181.38
lightpornmovies.com. IN A 193.23.181.38
W
On 11/1/11 11:33 AM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
>
> Update 1: looks like there is a lot of port 443/TCP hitting the site as
> well. Waiting on some log files.
>
> On 11/01/2011 03:25 PM, Nicholas Ianelli wrote:
> > ----------- nsp-security Confidential --------
>
> > Folks,
>
> > I've been given permission to share this with you. Currently a DDoS
> > attack is ongoing targeting 12.19.225.108. This is a financially
> > motivated attack, similar to what was seen October 21/22.
>
> > At that time the C2s directing the attack were:
>
> > s0r.ru
> > 193.105.240.212
>
> > Both of these were Dirt Jumper based botnets.
>
> > While I'm still gathering information, I'm asking for assistance in
> > tracking down IPs sending large amounts of packets to 12.19.225.108
> > (it's believed to be port 80/TCP based).
>
> > I'm trying to find the C2, but if you can squash contributors, that
> > would be awesome.
>
> > Thanks!
> > Nick
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iEYEARECAAYFAk6wS3gACgkQXyx2ON3+G40MrQCgzJAOl0E8FjA6kM2FcyaytRS2
agYAoNALseKnzEg7FyYcAybqe3TZM6sm
=m8KT
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list