[nsp-sec] Apparent outbound DDoS attacks against: 79.116.2.258, 204.188.217.52, 60.247.126.128 and 202.79.7.22
John Fraizer
john at op-sec.us
Fri Sep 16 16:33:07 EDT 2011
Infected host also has flows with 208.83.20.130 TCP/6667 as well as the
following hosts with the infected host at TCP/32976:
nfdump filter:
port 32976
Top 500 IP Addr ordered by flows:
Date first seen Duration Proto IP Addr Flows(%)
Packets(%) Bytes(%) pps bps bpp
2011-09-16 19:59:31.152 609.413 any 74.112.172.29
<http://199.201.138.131/nfsen/index.php#null> 106(100.0)
230(100.0) 10808(100.0) 0 141 46
2011-09-16 19:59:31.152 609.413 any 98.156.29.62
<http://199.201.138.131/nfsen/index.php#null> 58(54.7)
120(52.2) 5646(52.2) 0 74 47
2011-09-16 19:59:46.073 570.808 any 69.76.158.222
<http://199.201.138.131/nfsen/index.php#null> 48(45.3)
110(47.8) 5162(47.8) 0 72 46
On Fri, Sep 16, 2011 at 4:25 PM, John Fraizer <john at op-sec.us> wrote:
> Current target is: 178.157.82.33 TCP/53 @ 41Kpps, 15.1Mb/s
> Attack started: 2011-09-16 20:08:28.334 UTC
>
>
More information about the nsp-security
mailing list