[nsp-sec] Relation between 64.150.191.48 and 216.67.248.123
SURFcert - Peter
p.g.m.peters at utwente.nl
Tue Apr 24 08:05:06 EDT 2012
Excuse my response to myself.
SURFcert - Peter wrote on 24-04-2012 12:12:
> One of our institutions (194.171.66.126) has been suffering from UDP
> DDoS attacks the last couple of months. Earlier attacks seems to have
> stopped since a few weeks. We thought it started again last Monday.
> Examining the flow did show something different though. While other
> attacks seemed to be be very much distributed this attack only came from
> the two IP addresses mentioned.
>
> It was also an UDP based attack so the addresses could be spoofed.
>
> Characteristics:
> Random UDP port to random UDP port
> Always 1500 bytes per packet
> Start time: 2012-04-23 09:05:46.470
> End time: 2012-04-23 09:05:49.210
> Timezone: CEST (GMT+2)
During the five minutes after this attack another one started coming
from 118.123.213.26 to port 80 UDP. The size was again 1500 bytes. That
ended 2012-04-23 09:08:05.590 (CEST).
--
Peter Peters /------\ SURFnet bv
SURFcert | SURF | cert.surfnet.nl
cert at surfnet.nl \-----\ \-----\ Postbus 19035
PGP Key ID 0x5A52C966 | CERT | NL-3501 DA Utrecht
+31 30 2305 305 \------/ fax: +31 30 2305 329
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120424/8484dcc1/attachment-0001.sig>
More information about the nsp-security
mailing list