[nsp-sec] DDoS over 212.92.56.33 - TLP AMBER
Carles Fragoso
cfragoso at cesicat.cat
Wed Jun 27 20:06:07 EDT 2012
Until we get some details about attack timeframe (now stopped) and gather some netflow data and web server logs from 3rd party, I have been provided the following list of offender IPs identified and blocked during DDoS, almost 50% from RU.
I still don't have confirmation about if they were full tcp handshakes connections, so they might be spoofed. As we have opened an investigation, please distribute it carefully considering TLP AMBER. It would be nice to correlate if those IPS
Country distribution
31 RU <---
6 UA
6 ID
3 US
3 PH
2 MY
2 IN
2 BY
2 AE
1 TR
1 PK
1 PE
1 ES
1 EE
1 CR
1 CL
1 AU
Full list
3216 | 128.71.166.106 | 128.71.0.0/16 | RU | ripencc | 2011-10-31 | SOVAM-AS OJSC _Vimpelcom_
3216 | 212.46.234.122 | 212.46.192.0/18 | RU | ripencc | 1998-08-21 | SOVAM-AS OJSC _Vimpelcom_
3249 | 84.50.168.233 | 84.50.0.0/16 | EE | ripencc | 2004-10-06 | ESTPAK Elion Enterprises Ltd.
4775 | 124.6.181.177 | 124.6.181.0/24 | PH | apnic | 2005-12-22 | GLOBE-TELECOM-AS Globe Telecoms
4788 | 124.13.0.0 | 124.13.0.0/17 | MY | apnic | 2007-01-09 | TMNET-AS-AP TM Net, Internet Service Provider
4788 | 175.145.80.48 | 175.145.64.0/18 | MY | apnic | 2010-01-08 | TMNET-AS-AP TM Net, Internet Service Provider
4802 | 58.7.229.224 | 58.7.192.0/18 | AU | apnic | 2006-03-02 | ASN-IINET iiNet Limited
5384 | 2.50.136.115 | 2.50.128.0/18 | AE | ripencc | 2010-05-28 | EMIRATES-INTERNET Emirates Telecommunications Corporation
5384 | 86.97.211.119 | 86.97.192.0/18 | AE | ripencc | 2005-04-20 | EMIRATES-INTERNET Emirates Telecommunications Corporation
6690 | 89.163.9.161 | 89.163.0.0/17 | RU | ripencc | 2006-02-16 | WEBPLUS-AS Web Plus ZAO
6697 | 37.45.39.101 | 37.45.0.0/16 | BY | ripencc | 2012-01-06 | BELPAK-AS Republican Association BELTELECOM
6739 | 81.203.190.39 | 81.203.0.0/16 | ES | ripencc | 2002-11-12 | ONO-AS Cableuropa - ONO
6863 | 217.171.12.154 | 217.171.0.0/20 | RU | ripencc | 2001-03-30 | ROSNET-AS OJSC Rossiyskaya Telecommunikatsionnaya Set
6877 | 37.55.177.24 | 37.52.0.0/14 | UA | ripencc | 2012-01-24 | AS6877 BelABM Ukraine AS
7725 | 69.244.17.157 | 69.244.0.0/19 | US | arin | 2004-02-11 | COMCAST-7725 - Comcast Cable Communications Holdings, Inc
8359 | 62.118.134.233 | 62.118.128.0/19 | RU | ripencc | 2000-09-11 | MTS MTS OJSC
8359 | 91.77.139.166 | 91.76.0.0/14 | RU | ripencc | 2006-08-21 | MTS MTS OJSC
8386 | 213.248.165.103 | 213.248.164.0/22 | TR | ripencc | 2000-04-07 | KOCNET VODAFONE NET ILETISIM HIZMETLERI A.S
8402 | 176.14.113.192 | 176.14.0.0/15 | RU | ripencc | 2011-05-18 | CORBINA-AS OJSC _Vimpelcom_
8402 | 176.14.2.190 | 176.14.0.0/15 | RU | ripencc | 2011-05-18 | CORBINA-AS OJSC _Vimpelcom_
8570 | 95.179.88.131 | 95.179.64.0/19 | RU | ripencc | 2009-01-21 | LES OJSC Rostelecom
8997 | 92.100.88.50 | 92.100.0.0/16 | RU | ripencc | 2008-04-04 | ASN-SPBNIT OJSC Rostelecom
8997 | 92.101.238.248 | 92.101.192.0/18 | RU | ripencc | 2008-04-04 | ASN-SPBNIT OJSC Rostelecom
8997 | 95.53.17.179 | 95.53.0.0/17 | RU | ripencc | 2008-11-13 | ASN-SPBNIT OJSC Rostelecom
9829 | 117.200.224.135 | 117.200.224.0/20 | IN | apnic | 2007-08-01 | BSNL-NIB National Internet Backbone
10139 | 121.54.58.138 | 121.54.56.0/21 | PH | apnic | 2006-06-19 | SMARTBRO-PH-AP Smart Broadband, Inc.
10139 | 203.87.186.114 | 203.87.184.0/21 | PH | apnic | 2003-07-15 | SMARTBRO-PH-AP Smart Broadband, Inc.
11830 | 201.195.101.210 | 201.195.96.0/21 | CR | lacnic | 2005-05-30 | Instituto Costarricense de Electricidad y Telecom.
12252 | 190.222.226.45 | 190.222.192.0/18 | PE | lacnic | 2007-11-26 | America Movil Peru S.A.C.
12358 | 195.222.91.155 | 195.222.91.0/24 | BY | ripencc | 1997-03-04 | SOLO Solo SP, http://www.solo.by
12380 | 93.185.30.194 | 93.185.16.0/20 | RU | ripencc | 2008-06-04 | LENSVYAZ OJSC Rostelecom
12714 | 176.194.3.184 | 176.194.0.0/15 | RU | ripencc | 2011-07-07 | TI-AS Net By Net Holding LLC
12714 | 95.221.28.168 | 95.221.0.0/16 | RU | ripencc | 2009-03-09 | TI-AS Net By Net Holding LLC
15500 | 80.234.116.254 | 80.234.0.0/17 | RU | ripencc | 2008-01-29 | OJSC Rostelecom
15895 | 46.119.209.37 | 46.119.128.0/17 | UA | ripencc | 2010-05-17 | KSNET-AS Kyivstar GSM
16327 | 194.146.180.48 | 194.146.180.0/22 | UA | ripencc | 2003-10-27 | PAVLABOR-AS OOO Pavlobor
17974 | 110.137.67.240 | 110.137.64.0/22 | ID | apnic | 2009-04-20 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
17974 | 118.96.198.247 | 118.96.196.0/22 | ID | apnic | 2007-08-24 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
17974 | 180.249.126.184 | 180.249.126.0/23 | ID | apnic | 2009-10-20 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
17974 | 36.74.0.0 | 36.74.0.0/21 | ID | apnic | 2011-01-14 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
17974 | 36.74.2.188 | 36.74.0.0/21 | ID | apnic | 2011-01-14 | TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
19262 | 72.94.123.147 | 72.94.0.0/16 | US | arin | 2005-06-24 | VZGNI-TRANSIT - Verizon Online LLC
22047 | 190.101.84.199 | 190.101.80.0/21 | CL | lacnic | 2010-01-15 | VTR BANDA ANCHA S.A.
23966 | 119.73.13.4 | 119.73.13.0/24 | PK | apnic | 2008-01-22 | LDN-AS-PK LINKdotNET Telecom Limited
24203 | 112.215.66.83 | 112.215.66.0/24 | ID | apnic | 2009-02-19 | NAPXLNET-AS-ID PT Excelcomindo Pratama (Network Access Provider)
24699 | 109.108.44.254 | 109.108.32.0/19 | RU | ripencc | 2009-10-26 | IVTELECOM-AS OJSC Rostelecom
24810 | 87.117.189.101 | 87.117.189.0/24 | RU | ripencc | 2005-09-28 | TELESET-KAZAN Teleset LLC Naberezhnye Chelny Branch
24955 | 77.79.143.64 | 77.79.128.0/18 | RU | ripencc | 2007-03-13 | UBN-AS OJSC _Ufanet_
25405 | 109.184.0.0 | 109.184.0.0/17 | RU | ripencc | 2009-10-05 | NMTS-AS OJSC Rostelecom
28840 | 78.138.166.3 | 78.138.160.0/19 | RU | ripencc | 2007-06-11 | TATTELECOM-AS OJSC _OAO TATTELECOM_
31213 | 83.149.3.62 | 83.149.0.0/21 | RU | ripencc | 2004-03-09 | MF-NWGSM-AS OJSC MegaFon
31213 | 83.149.3.77 | 83.149.0.0/21 | RU | ripencc | 2004-03-09 | MF-NWGSM-AS OJSC MegaFon
33651 | 76.126.187.77 | 76.126.0.0/16 | US | arin | 2007-01-02 | CMCS - Comcast Cable Communications, Inc.
34456 | 62.176.8.49 | 62.176.0.0/19 | RU | ripencc | 2006-10-20 | RIALCOM-AS Rial Com JSC
39512 | 81.24.208.240 | 81.24.208.0/20 | UA | ripencc | 2006-02-23 | NKTV-AS NKTV Ltd AS
41341 | 89.28.198.130 | 89.28.192.0/21 | RU | ripencc | 2006-07-26 | TMK-AS Telecom-MK Ltd.
41661 | 37.113.222.129 | 37.113.220.0/22 | RU | ripencc | 2012-02-09 | ERTH-CHEL-AS CJSC _ER-Telecom Holding_
41733 | 188.134.41.203 | 188.134.0.0/17 | RU | ripencc | 2009-04-27 | ZTELECOM-AS JSC _Z-Telecom_
47395 | 109.188.225.165 | 109.188.128.0/17 | RU | ripencc | 2009-10-08 | SCARTEL-AS Scartel Ltd.
47395 | 178.179.67.89 | 178.179.64.0/18 | RU | ripencc | 2010-01-22 | SCARTEL-AS Scartel Ltd.
48416 | 46.32.64.156 | 46.32.64.0/22 | RU | ripencc | 2010-08-13 | INFOLAN-AS Information Network, LLC
48481 | 31.132.212.90 | 31.132.208.0/20 | RU | ripencc | 2011-06-20 | RYBALKA-AS King-Online Ltd.
49183 | 94.231.188.129 | 94.231.188.0/24 | UA | ripencc | 2009-04-22 | BEREZHANY-AS Galitski Telekommunications Ltd
55410 | 182.19.31.141 | 182.19.31.0/24 | IN | apnic | 2010-02-09 | VODAFONE-NET-AS-AP C48 Okhla Industrial Estate, New Delhi-110020
197125 | 193.161.14.164 | 193.161.12.0/22 | UA | ripencc | 2010-06-14 | UA-BROVIS-AS Pryvatne Pidpryemstvo WEB-SVIT
Regards,
-- Carlos
El Jun 27, 2012, a les 8:19 PM, cfragoso at cesicat.cat<mailto:cfragoso at cesicat.cat> va escriure:
Our government has a new website that is been just announced today outside our ASN hosted at 212.92.56.33 and under DDoS attack now.
While we get some logs or netflow from the ISP (Necica) to identify sourcr IPs. I will appreciate some checks from you guys.
Thanks!!!
-- Carlos Fragoso (39551)
More information about the nsp-security
mailing list