[nsp-sec] DDoS against Azerbaijan gov-CERT, April 24: Softlayer, HopOne

jose nazario jose at arbor.net
Sun Apr 22 20:59:45 EDT 2012 

happy to check my logs. what was the IP or hostname that was hit? even an ASN would help.

_____
Jose Nazario, Ph.D.
Manager of Security Research, Arbor Networks
jose at arbor.net

On Apr 22, 2012, at 4:45 PM, Bill Woodcock wrote:

> ----------- nsp-security Confidential --------
> 
> Forwarded at the request of the originator.
> 
> 
> v4.whois.cymru.com
> 
> [v4.whois.cymru.com]
> AS      | IP               | AS Name
> 36351   | 184.172.176.54   | SOFTLAYER - SoftLayer Technologies Inc.
> 14361   | 66.148.120.124   | HOPONE-GLOBAL - HopOne Internet Corporation
> 21844   | 174.121.134.34   | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
> 
> [v4-peer.whois.cymru.com]
> PEER_AS | IP               | AS Name
> 209     | 184.172.176.54   | ASN-QWEST - Qwest Communications Company, LLC
> 1299    | 184.172.176.54   | TELIANET TeliaNet Global Network
> 2914    | 184.172.176.54   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3549    | 184.172.176.54   | GBLX Global Crossing Ltd.
> 4565    | 184.172.176.54   | MEGAPATH2-US - MegaPath Networks Inc.
> 7843    | 184.172.176.54   | TWCABLE-BACKBONE - Road Runner HoldCo LLC
> 10310   | 184.172.176.54   | YAHOO-1 - Yahoo!
> 2381    | 66.148.120.124   | WISCNET1-AS - WiscNet
> 3257    | 66.148.120.124   | TINET-BACKBONE Tinet SpA
> 3356    | 66.148.120.124   | LEVEL3 Level 3 Communications
> 3549    | 66.148.120.124   | GBLX Global Crossing Ltd.
> 3561    | 66.148.120.124   | SAVVIS - Savvis
> 4565    | 66.148.120.124   | MEGAPATH2-US - MegaPath Networks Inc.
> 6939    | 66.148.120.124   | HURRICANE - Hurricane Electric, Inc.
> 10310   | 66.148.120.124   | YAHOO-1 - Yahoo!
> 11164   | 66.148.120.124   | INTERNET2-TRANSITRAIL-CPS - National LambdaRail, LLC
> 36351   | 174.121.134.34   | SOFTLAYER - SoftLayer Technologies Inc.
> 
>                                -Bill
> 
> 
> Begin forwarded message:
> 
>> From: "CERT.GOV.AZ" <first-rep at cert.gov.az>
>> Date: April 22, 2012 8:33:13 AM PDT
>> To: "'FIRST Secretariat'" <first-sec at first.org>
>> Cc: first-reps at first.org
>> Subject: [1st-reps] Attack!!! Urgent HELP needed!!!
>> 
>> Dear Sirs,
>> 
>> I would like to inform you about the DDOS attack that we faced on
>> 18/Apr/2012:19:59:18 +0500 - 18/Apr/2012:20:14:51 +0500 and on
>> 18/Apr/2012:20:43:54 +0500 - 18/Apr/2012:20:57:37 +0500
>> 
>> During this attack the following proxy servers were used:
>> 
>> Attackers' ips (proxy servers)
>> 174.121.134.34 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
>> SERVICES INC  209.140.23.180 - UNITED STATES, TEXAS, FULSHEAR - LANDIS
>> HOLDINGS INC
>> 66.148.120.124 - UNITED STATES, NEVADA, SPARKS - HOPONE INTERNET
>> CORPORATION
>> 184.172.176.54 - UNITED STATES, TEXAS, DALLAS - THEPLANET.COM INTERNET
>> SERVICES INC We have been able to analyze incoming packets and identify that
>> X-FORWARDED-FOR header contained 42680 unique ip addresses. According to our
>> information, this attack was just a preparation for a bigger one that is
>> going to happen on 24th of April.
>> 
>> We would be extremely grateful if you assist us in our efforts to take this
>> botnet down.
>> 
>> Looking forward to hearing from you as soon as possible, Thank you
>> beforehand for your help and interests!
>> 
>> My Best Regards,
>> Tural Mammadov
>> Cert.Gov Azerbaijan
> <Chart info of DDOS attack.xlsx><Country list of Attackers.txt><Ip list of ddos attacking.txt>
>> 
>> _______________________________________________
>> *** FIRST restricted and confidential use mailing list. Do not Forward, Cc, Bcc, copy or summarize this email outside of the FIRST community without the express permission of the content owner(s). ***
>> 
>> first-reps mailing list
>> first-reps at lists.first.org
>> _______________________________________________
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list