[nsp-sec] UDP DDoS

Dave Monnier dmonnier at cymru.com
Tue Mar 13 15:36:59 EDT 2012 

Hi, Nick.

Thanks much for offering to help!

Here's what I've got for those hosts.

Date first seen          Duration Proto       Src IP Addr    Flows(%)
  Packets(%)       Bytes(%)         pps      bps   bpp
2012-03-11 18:56:44.662 90197.871 any     173.192.220.101     1077( 9.5)
   6.1 M(20.2)    8.5 G(26.3)       68   752457  1382
2012-03-11 18:56:44.663 90188.868 any      173.192.222.69      962( 8.4)
   5.4 M(17.9)    7.5 G(23.3)       60   667783  1383
2012-03-11 18:56:44.213 90170.961 any       208.43.81.118      881( 7.7)
   4.9 M(16.1)    6.7 G(20.9)       54   597904  1380
2012-03-11 18:56:44.323 90174.761 any     174.120.229.130      528( 4.6)
   3.2 M(10.7)    4.4 G(13.7)       36   393969  1367

Sorry for the line wrapping.

If you can verify them as sources that would be awesome.

They all look to be Linux systems and host a bunch of domains.

Thanks!
-Dave

On 3/13/12 3:32 PM, Nick Hale wrote:
> Hi Dave,
> 
> Can you give me any more info on the 36351/21844 hosts?  I'll start digging into what I can on this end. (sample pcaps would be wonderful too, if
> possible).
> 
> Regards,
> Nick
> SoftLayer
> 
> 
> 
> On 3/13/2012 14:25, Dave Monnier wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>>
>>
>> Team,
>>
>> Looking for the source of a UDP-based attack against these IP:
>>
>> 202.163.115.10
>> 202.163.115.11
>> 61.5.158.117
>> 61.5.158.121
>> 61.5.158.124
>> 61.5.158.114
>>
>> Leaders by percentage look to be:
>> 36351   | 173.192.220.101  | SOFTLAYER - SoftLayer Technologies Inc.
>> 36351   | 173.192.222.69   | SOFTLAYER - SoftLayer Technologies Inc.
>> 36351   | 208.43.81.118    | SOFTLAYER - SoftLayer Technologies Inc.
>> 21844   | 174.120.229.130  | THEPLANET-AS - ThePlanet.com Internet
>> 19066   | 173.199.150.228  | WIREDTREE - Cogswell Enterprises Inc.
>> 30217   | 216.87.163.170   | DESYNC - Desync Networks
>>
>> SRC/DST ports are all over.
>>
>> Thanks!
>> -Dave
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________


-- 
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120313/627faea9/attachment-0001.sig>

More information about the nsp-security mailing list