[nsp-sec] Relation between 64.150.191.48 and 216.67.248.123
SURFcert - Peter
p.g.m.peters at utwente.nl
Tue Apr 24 06:12:10 EDT 2012
Hi,
One of our institutions (194.171.66.126) has been suffering from UDP
DDoS attacks the last couple of months. Earlier attacks seems to have
stopped since a few weeks. We thought it started again last Monday.
Examining the flow did show something different though. While other
attacks seemed to be be very much distributed this attack only came from
the two IP addresses mentioned.
It was also an UDP based attack so the addresses could be spoofed.
Characteristics:
Random UDP port to random UDP port
Always 1500 bytes per packet
Start time: 2012-04-23 09:05:46.470
End time: 2012-04-23 09:05:49.210
Timezone: CEST (GMT+2)
The attack could be directed towards the IP addresses mentioned. In our
case that didn't work because filters prevented the system from reacting
to the received packets.
--
Peter Peters /------\ SURFnet bv
SURFcert | SURF | cert.surfnet.nl
cert at surfnet.nl \-----\ \-----\ Postbus 19035
PGP Key ID 0x5A52C966 | CERT | NL-3501 DA Utrecht
+31 30 2305 305 \------/ fax: +31 30 2305 329
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120424/06a1d2f7/attachment-0001.sig>
More information about the nsp-security
mailing list