[nsp-sec] DDoS against Azerbaijan gov-CERT, April 24: Softlayer, HopOne

Bill Woodcock woody at pch.net
Sun Apr 22 19:20:21 EDT 2012 

All ok to share. Thx

    
                -Bill


On Apr 22, 2012, at 16:16, "Nicholas Ianelli" <ni at allyourinfoarebelongto.us> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The Softlayer/ThePlanet rep is no longer onlist. I still have a few
> contacts over there.
> 
> Not sure if HopOne ever made it on the list, but I know two guys over
> there as well.
> 
> What can I share with them directly?
> 
> Nick
> 
> 
> On 04/22/2012 04:45 PM, Bill Woodcock wrote:
>> ----------- nsp-security Confidential --------
>> 
>> 
>> 
>> 
>> Forwarded at the request of the originator.
>> 
>> 
>> v4.whois.cymru.com
>> 
>> [v4.whois.cymru.com]
>> AS      | IP               | AS Name
>> 36351   | 184.172.176.54   | SOFTLAYER - SoftLayer Technologies Inc.
>> 14361   | 66.148.120.124   | HOPONE-GLOBAL - HopOne Internet Corporation
>> 21844   | 174.121.134.34   | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
>> 
>> [v4-peer.whois.cymru.com]
>> PEER_AS | IP               | AS Name
>> 209     | 184.172.176.54   | ASN-QWEST - Qwest Communications Company, LLC
>> 1299    | 184.172.176.54   | TELIANET TeliaNet Global Network
>> 2914    | 184.172.176.54   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
>> 3549    | 184.172.176.54   | GBLX Global Crossing Ltd.
>> 4565    | 184.172.176.54   | MEGAPATH2-US - MegaPath Networks Inc.
>> 7843    | 184.172.176.54   | TWCABLE-BACKBONE - Road Runner HoldCo LLC
>> 10310   | 184.172.176.54   | YAHOO-1 - Yahoo!
>> 2381    | 66.148.120.124   | WISCNET1-AS - WiscNet
>> 3257    | 66.148.120.124   | TINET-BACKBONE Tinet SpA
>> 3356    | 66.148.120.124   | LEVEL3 Level 3 Communications
>> 3549    | 66.148.120.124   | GBLX Global Crossing Ltd.
>> 3561    | 66.148.120.124   | SAVVIS - Savvis
>> 4565    | 66.148.120.124   | MEGAPATH2-US - MegaPath Networks Inc.
>> 6939    | 66.148.120.124   | HURRICANE - Hurricane Electric, Inc.
>> 10310   | 66.148.120.124   | YAHOO-1 - Yahoo!
>> 11164   | 66.148.120.124   | INTERNET2-TRANSITRAIL-CPS - National LambdaRail, LLC
>> 36351   | 174.121.134.34   | SOFTLAYER - SoftLayer Technologies Inc.
>> 
>>                                -Bill
>> 
>> 
>> Begin forwarded message:
>> 
>>> From: "CERT.GOV.AZ" <first-rep at cert.gov.az>
>>> Date: April 22, 2012 8:33:13 AM PDT
>>> To: "'FIRST Secretariat'" <first-sec at first.org>
>>> Cc: first-reps at first.org
>>> Subject: [1st-reps] Attack!!! Urgent HELP needed!!!
>>> 
>>> Dear Sirs,
>>> 
>>> I would like to inform you about the DDOS attack that we faced on
>>> 18/Apr/2012:19:59:18 +0500 - 18/Apr/2012:20:14:51 +0500 and on
>>> 18/Apr/2012:20:43:54 +0500 - 18/Apr/2012:20:57:37 +0500
>>> 
>>> During this attack the following proxy servers were used:
>>> 
>>> Attackers' ips (proxy servers)
>>> 174.121.134.34 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
>>> SERVICES INC  209.140.23.180 - UNITED STATES, TEXAS, FULSHEAR - LANDIS
>>> HOLDINGS INC
>>> 66.148.120.124 - UNITED STATES, NEVADA, SPARKS - HOPONE INTERNET
>>> CORPORATION
>>> 184.172.176.54 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
>>> SERVICES INC We have been able to analyze incoming packets and identify that
>>> X-FORWARDED-FOR header contained 42680 unique ip addresses. According to our
>>> information, this attack was just a preparation for a bigger one that is
>>> going to happen on 24th of April.
>>> 
>>> We would be extremely grateful if you assist us in our efforts to take this
>>> botnet down.
>>> 
>>> Looking forward to hearing from you as soon as possible, Thank you
>>> beforehand for your help and interests!
>>> 
>>> My Best Regards,
>>> Tural Mammadov
>>> Cert.Gov Azerbaijan
>>> 
>>> 
>>>> _______________________________________________
>>>> *** FIRST restricted and confidential use mailing list. Do not Forward, Cc, Bcc, copy or summarize this email outside of the FIRST community without the express permission of the content owner(s). ***
>>>> 
>>>> first-reps mailing list
>>>> first-reps at lists.first.org
>>>> _______________________________________________
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iEYEARECAAYFAk+UkR8ACgkQi10dJIBjZIBucQCfVle49qgEZugh1FU+UEHCeZfq
> /kMAn0pZtBd4tW8Sxo/W2USgKf3tYHoh
> =i5t+
> -----END PGP SIGNATURE-----

More information about the nsp-security mailing list