[nsp-sec] Inbound DDoS attack towards 80.227.124.182/32 (AS15802) on UDP/53

Carol Overes Carol.Overes at du.ae
Thu Sep 29 10:06:20 EDT 2011 

Dear all,

One of our customers has faced a UDP/53 flood on 29 September between 00:51 - 07:37 (UTC). The incoming traffic was flowing on all ingress points, upstream and peers, of our network. The attack didn't last for the whole 6 hours. Between 00:51 - 07:37 we observed 10 attacks, average time of each attack was around 30 minutes.

As soon as the attack was detected we activated our mitigation devices to clean the traffic, but the traffic was still flowing over the ingress points. With help of the upstreams, especially Level-3 (thanks!), we managed to push the attack further back.

I would be very much interested if someone has seen flows towards 80.227.124.182/32, between the mentioned timeframe. And if anyone can identify C&C comms, which might be related to this attack.

Traffic characteristics:
* Victim IP:          80.227.124.182/32
* Destination ASN:    AS15802
* Destination port:   53
* Transport protocol: UDP
* Source IP addresses: almost 7000 unique IP addresses (possible spoofed and sampling rate 1/1000)

Statistics of the attack:
* Pps at maximum peak rate:  15Mpps
* Gbps at maximum peak rate: 72.8.Gbps

Any help is very much appreciated. Many thanks in advance.

Kind regards,












Carol Overes
Incident Handling and Threat Analyst
Technology



Emirates Integrated Telecommunications Company, PJSC
P.O. Box 502666, Dubai, U.A.E.

www.du.ae

This email and any attachments contain confidential information. You must not read, print, copy, store, or otherwise use them unless you are the intended recipient. If you have received them in error, please delete them and contact du.
Without exception, du does not enter into any agreement through email communications and nothing in this email shall be construed or interpreted as binding du or creating any obligation (whether financial or otherwise) for du.
You should check attachments for viruses before opening. Please note that email communications may be monitored in accordance with the laws of the United Arab Emirates.

Authorized, issued and fully paid up share capital of AED 4,571,428,571
Commercial License No.576513; Commercial Registration No. 77967

More information about the nsp-security mailing list