[nsp-sec] DDoS against Azerbaijan gov-CERT, April 24: Softlayer, HopOne

Bill Woodcock woody at pch.net
Sun Apr 22 16:45:06 EDT 2012 

Forwarded at the request of the originator.


v4.whois.cymru.com

[v4.whois.cymru.com]
AS      | IP               | AS Name
36351   | 184.172.176.54   | SOFTLAYER - SoftLayer Technologies Inc.
14361   | 66.148.120.124   | HOPONE-GLOBAL - HopOne Internet Corporation
21844   | 174.121.134.34   | THEPLANET-AS - ThePlanet.com Internet Services, Inc.

[v4-peer.whois.cymru.com]
PEER_AS | IP               | AS Name
209     | 184.172.176.54   | ASN-QWEST - Qwest Communications Company, LLC
1299    | 184.172.176.54   | TELIANET TeliaNet Global Network
2914    | 184.172.176.54   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3549    | 184.172.176.54   | GBLX Global Crossing Ltd.
4565    | 184.172.176.54   | MEGAPATH2-US - MegaPath Networks Inc.
7843    | 184.172.176.54   | TWCABLE-BACKBONE - Road Runner HoldCo LLC
10310   | 184.172.176.54   | YAHOO-1 - Yahoo!
2381    | 66.148.120.124   | WISCNET1-AS - WiscNet
3257    | 66.148.120.124   | TINET-BACKBONE Tinet SpA
3356    | 66.148.120.124   | LEVEL3 Level 3 Communications
3549    | 66.148.120.124   | GBLX Global Crossing Ltd.
3561    | 66.148.120.124   | SAVVIS - Savvis
4565    | 66.148.120.124   | MEGAPATH2-US - MegaPath Networks Inc.
6939    | 66.148.120.124   | HURRICANE - Hurricane Electric, Inc.
10310   | 66.148.120.124   | YAHOO-1 - Yahoo!
11164   | 66.148.120.124   | INTERNET2-TRANSITRAIL-CPS - National LambdaRail, LLC
36351   | 174.121.134.34   | SOFTLAYER - SoftLayer Technologies Inc.

                                -Bill


Begin forwarded message:

> From: "CERT.GOV.AZ" <first-rep at cert.gov.az>
> Date: April 22, 2012 8:33:13 AM PDT
> To: "'FIRST Secretariat'" <first-sec at first.org>
> Cc: first-reps at first.org
> Subject: [1st-reps] Attack!!! Urgent HELP needed!!!
> 
> Dear Sirs,
> 
> I would like to inform you about the DDOS attack that we faced on
> 18/Apr/2012:19:59:18 +0500 - 18/Apr/2012:20:14:51 +0500 and on
> 18/Apr/2012:20:43:54 +0500 - 18/Apr/2012:20:57:37 +0500
> 
> During this attack the following proxy servers were used:
> 
> Attackers' ips (proxy servers)
> 174.121.134.34 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
> SERVICES INC  209.140.23.180 - UNITED STATES, TEXAS, FULSHEAR - LANDIS
> HOLDINGS INC
> 66.148.120.124 - UNITED STATES, NEVADA, SPARKS - HOPONE INTERNET
> CORPORATION
> 184.172.176.54 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
> SERVICES INC We have been able to analyze incoming packets and identify that
> X-FORWARDED-FOR header contained 42680 unique ip addresses. According to our
> information, this attack was just a preparation for a bigger one that is
> going to happen on 24th of April.
> 
> We would be extremely grateful if you assist us in our efforts to take this
> botnet down.
> 
> Looking forward to hearing from you as soon as possible, Thank you
> beforehand for your help and interests!
> 
> My Best Regards,
> Tural Mammadov
> Cert.Gov Azerbaijan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Chart info of DDOS attack.xlsx
Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Size: 997755 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120422/49527185/attachment-0001.xlsx>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Country list of Attackers.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120422/49527185/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Ip list of ddos attacking.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120422/49527185/attachment-0003.txt>
-------------- next part --------------
> _______________________________________________
> *** FIRST restricted and confidential use mailing list. Do not Forward, Cc, Bcc, copy or summarize this email outside of the FIRST community without the express permission of the content owner(s). ***
> 
> first-reps mailing list
> first-reps at lists.first.org
> _______________________________________________




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 881 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120422/49527185/attachment-0001.sig>

More information about the nsp-security mailing list