[nsp-sec] Any intel on DDoS attack that impacted HE
Jose Nazario
jose at arbor.net
Wed Oct 5 10:33:12 EDT 2011
looks like one of the yoyoddos bots we're tracking may be responsible.
malware=# SELECT timestamp, cc_host, cc_channel, target_host, target_ip from ddos_commands where target_asn = 6939 order by timestamp desc;
timestamp | cc_host | cc_channel | target_host
| target_ip
---------------------+--------------------------------------------+-------------------+----------------------------------
-------------+-----------------
2011-09-14 11:10:22 | 110.165.49.66 | yoyoddos | youcaiqq.gnway.net
|
2011-09-14 11:10:22 | 110.165.49.66 | yoyoddos | youcaiqq.gnway.net
| 199.192.155.222
2011-08-30 23:02:42 | 121.10.107.117 | yoyoddos | NS1.HE.NET
|
2011-08-30 23:02:42 | 121.10.107.117 | yoyoddos | NS1.HE.NET
| 216.218.130.2
2011-08-30 22:01:14 | 121.10.107.117 | yoyoddos | NS1.HE.NET
|
2011-08-30 22:01:14 | 121.10.107.117 | yoyoddos | NS1.HE.NET
| 216.218.130.2
2011-08-30 21:00:09 | 121.10.107.117 | yoyoddos | NS1.HE.NET
|
2011-08-30 21:00:09 | 121.10.107.117 | yoyoddos | NS1.HE.NET
| 216.218.130.2
2011-08-30 19:58:38 | 121.10.107.117 | yoyoddos | NS1.HE.NET
|
2011-08-30 19:58:38 | 121.10.107.117 | yoyoddos | NS1.HE.NET
| 216.218.130.2
2011-08-30 18:58:56 | 121.10.107.117 | yoyoddos | NS1.HE.NET
|
2011-08-30 18:58:56 | 121.10.107.117 | yoyoddos | NS1.HE.NET
| 216.218.130.2
...
On Oct 5, 2011, at 9:59 AM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sent a mail over to some HE guys, wondering if anyone else had any
> insight into this.
>
> Appears there was an attack on the 29th (according to their Twitter
> feed, lasted ~20 minutes).
>
> Then another attack on October 3rd that appears much more severe:
>
>
> https://lists.mayfirst.org/pipermail/service-advisories/2011-October/000292.html
>
> Appears to have impacted at least UK, Delaware, Boston and California
> regions.
>
>
> We've received the following update from our upstream provider,
> Hurricane Electric, regarding last night's outage:
>
> - ---
>
> On October 3rd we experienced a large attack against multiple core
> routers on a scale and in ways not previously done against us. We had
> various forms of attack mitigation already in place, we have added more.
> It was all fixable in the end, just the size and number of routers
> getting attacked and the figuring out what attacks were doing what to
> what took some time. The attack mitigation techniques we've added will
> be left in place. We are continuing to add additional layers of security
> to increase the resiliency of the network.
>
> Because the attackers were changing their methods and watching how their
> attacks were responded to, we are not at liberty to elaborate on the
> nature of the security precautions taken.
>
>
> Cheers,
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6MYqsACgkQi10dJIBjZICQygCgm+i2TVg15e1bz5uxSNq8DLcJ
> BVMAoKZkZNZg7EL/KltuprMkE5Q0rvKl
> =Mfw7
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
blog: http://asert.arbor.net/
twitter: @arbornetworks
More information about the nsp-security
mailing list