[nsp-sec] Apparent outbound DDoS attacks against: 79.116.2.258, 204.188.217.52, 60.247.126.128 and 202.79.7.22
John Fraizer
john at op-sec.us
Fri Sep 16 15:13:20 EDT 2011
So I've got this host who is communicating with:
74.55.36.105 tcp 3303 bot ID: safe.ircd.com DNSRR:
safe.linuxsecured.net
The host connected to the botnet at 2011-09-16 09:29:38.717 UTC.
I see the first outbound attack begin at 12:36:51.013 UTC as a 1-minute
flood to 79.116.2.258 UDP/53 (2.8M packets, 48 Bpp @ ~17Mb/s).
I see the second outbound attack begin at 2011-09-16 13:25:04.073 UTC as a
2.5-minute flood to 204.188.217.52 UDP/53 with subsequent attacks of
1-minute, 2-minutes and 1.5-minutes over the next ten minutes.
I see the next outbound attack begin at 2011-09-16 15:08:35.579 UTC as a
series of 30-second to 1-minute floods (UDP/53) against 60.247.126.128 and
202.79.7.22 until 2011-09-16 15:53:14.873 UTC.
Does anyone have any information on this botnet or any interest? ;-)
~John
More information about the nsp-security
mailing list