[nsp-sec] Any intel on DDoS attack that impacted HE
Chris Morrow
morrowc at ops-netman.net
Wed Oct 5 10:40:04 EDT 2011
On 10/05/11 10:33, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
>
> looks like one of the yoyoddos bots we're tracking may be responsible.
>
> malware=# SELECT timestamp, cc_host, cc_channel, target_host, target_ip from ddos_commands where target_asn = 6939 order by timestamp desc;
> timestamp | cc_host | cc_channel | target_host
> | target_ip
> ---------------------+--------------------------------------------+-------------------+----------------------------------
> -------------+-----------------
> 2011-09-14 11:10:22 | 110.165.49.66 | yoyoddos | youcaiqq.gnway.net
> |
> 2011-09-14 11:10:22 | 110.165.49.66 | yoyoddos | youcaiqq.gnway.net
> | 199.192.155.222
> 2011-08-30 23:02:42 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> |
> 2011-08-30 23:02:42 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> | 216.218.130.2
> 2011-08-30 22:01:14 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> |
> 2011-08-30 22:01:14 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> | 216.218.130.2
> 2011-08-30 21:00:09 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> |
> 2011-08-30 21:00:09 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> | 216.218.130.2
> 2011-08-30 19:58:38 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> |
> 2011-08-30 19:58:38 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> | 216.218.130.2
> 2011-08-30 18:58:56 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> |
> 2011-08-30 18:58:56 | 121.10.107.117 | yoyoddos | NS1.HE.NET
> | 216.218.130.2
> ...
those don't look like routers...
>
> On Oct 5, 2011, at 9:59 AM, Nicholas Ianelli wrote:
>
>> ----------- nsp-security Confidential --------
>>
> Sent a mail over to some HE guys, wondering if anyone else had any
> insight into this.
>
> Appears there was an attack on the 29th (according to their Twitter
> feed, lasted ~20 minutes).
>
> Then another attack on October 3rd that appears much more severe:
>
>
> https://lists.mayfirst.org/pipermail/service-advisories/2011-October/000292.html
>
> Appears to have impacted at least UK, Delaware, Boston and California
> regions.
>
>
> We've received the following update from our upstream provider,
> Hurricane Electric, regarding last night's outage:
>
> ---
>
> On October 3rd we experienced a large attack against multiple core
> routers on a scale and in ways not previously done against us. We had
> various forms of attack mitigation already in place, we have added more.
> It was all fixable in the end, just the size and number of routers
> getting attacked and the figuring out what attacks were doing what to
> what took some time. The attack mitigation techniques we've added will
> be left in place. We are continuing to add additional layers of security
> to increase the resiliency of the network.
>
> Because the attackers were changing their methods and watching how their
> attacks were responded to, we are not at liberty to elaborate on the
> nature of the security precautions taken.
>
>
> Cheers,
> Nick
>>
>>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
>>
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> blog: http://asert.arbor.net/
> twitter: @arbornetworks
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list