[nsp-sec] Apparent outbound DDoS attacks against: 79.116.2.258, 204.188.217.52, 60.247.126.128 and 202.79.7.22
John Fraizer
john at op-sec.us
Fri Sep 16 16:49:26 EDT 2011
Of other coincidence, shortly after the host started having flows to the
DDoS-RS IP, it also started some ICMP heartbeats as follows:
nfdump filter:
proto icmp and bpp 1044
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Out Pkt In Pkt Out Byte In Byte Flows
2011-09-16 09:33:05.332 39658.647 ICMP 74.112.172.29:0
<http://199.201.138.131/nfsen/index.php#null> <->
210.163.43.1:0.0 <http://199.201.138.131/nfsen/index.php#null>
0 554 0 578376 513
2011-09-16 09:33:14.550 39720.711 ICMP 74.112.172.29:0
<http://199.201.138.131/nfsen/index.php#null> <->
212.110.79.74:0.0 <http://199.201.138.131/nfsen/index.php#null>
0 221 0 230724 221
Summary: total flows: 734, total bytes: 809100, total packets: 775,
avg bps: 162, avg pps: 0, avg bpp: 1044
Time window: 2011-09-16 09:33:05 - 2011-09-16 20:35:15
Total flows processed: 13643, Blocks skipped: 0, Bytes read: 744252
Sys: 0.006s flows/second: 1949557.0 Wall: 0.004s flows/second: 2939034.9
More information about the nsp-security
mailing list