[nsp-sec] UDP DDoS

Tue Mar 13 15:42:46 EDT 2012

I'm going to tentatively agree with what Jose said.  They're probably comp'd accounts on the host.  I've reached out to our customer (2 of them,
actually...) and will see what I can dig up and share.

-NH

On 3/13/2012 14:40, Jose Nazario wrote:
> manual inspection suggests that those are web servers. i'd suspect compromised web sites with PHP or perl scripts (bots, maybe) running on them. if so, they're likely not spoofing their source IPs. 
> 
> On Mar 13, 2012, at 3:36 PM, Dave Monnier wrote:
> 
>> ----------- nsp-security Confidential --------
>>
>> Hi, Nick.
>>
>> Thanks much for offering to help!
>>
>> Here's what I've got for those hosts.
>>
>> Date first seen          Duration Proto       Src IP Addr    Flows(%)
>>  Packets(%)       Bytes(%)         pps      bps   bpp
>> 2012-03-11 18:56:44.662 90197.871 any     173.192.220.101     1077( 9.5)
>>   6.1 M(20.2)    8.5 G(26.3)       68   752457  1382
>> 2012-03-11 18:56:44.663 90188.868 any      173.192.222.69      962( 8.4)
>>   5.4 M(17.9)    7.5 G(23.3)       60   667783  1383
>> 2012-03-11 18:56:44.213 90170.961 any       208.43.81.118      881( 7.7)
>>   4.9 M(16.1)    6.7 G(20.9)       54   597904  1380
>> 2012-03-11 18:56:44.323 90174.761 any     174.120.229.130      528( 4.6)
>>   3.2 M(10.7)    4.4 G(13.7)       36   393969  1367
>>
>> Sorry for the line wrapping.
>>
>> If you can verify them as sources that would be awesome.
>>
>> They all look to be Linux systems and host a bunch of domains.
>>
>> Thanks!
>> -Dave
>>
>> On 3/13/12 3:32 PM, Nick Hale wrote:
>>> Hi Dave,
>>>
>>> Can you give me any more info on the 36351/21844 hosts?  I'll start digging into what I can on this end. (sample pcaps would be wonderful too, if
>>> possible).
>>>
>>> Regards,
>>> Nick
>>> SoftLayer
>>>
>>>
>>>
>>> On 3/13/2012 14:25, Dave Monnier wrote:
>>>> ----------- nsp-security Confidential --------
>>>>
>>>>
>>>>
>>>>
>>>> Team,
>>>>
>>>> Looking for the source of a UDP-based attack against these IP:
>>>>
>>>> 202.163.115.10
>>>> 202.163.115.11
>>>> 61.5.158.117
>>>> 61.5.158.121
>>>> 61.5.158.124
>>>> 61.5.158.114
>>>>
>>>> Leaders by percentage look to be:
>>>> 36351   | 173.192.220.101  | SOFTLAYER - SoftLayer Technologies Inc.
>>>> 36351   | 173.192.222.69   | SOFTLAYER - SoftLayer Technologies Inc.
>>>> 36351   | 208.43.81.118    | SOFTLAYER - SoftLayer Technologies Inc.
>>>> 21844   | 174.120.229.130  | THEPLANET-AS - ThePlanet.com Internet
>>>> 19066   | 173.199.150.228  | WIREDTREE - Cogswell Enterprises Inc.
>>>> 30217   | 216.87.163.170   | DESYNC - Desync Networks
>>>>
>>>> SRC/DST ports are all over.
>>>>
>>>> Thanks!
>>>> -Dave
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>>> _______________________________________________
>>
>>
>> -- 
>> Dave Monnier
>> Team Cymru
>> https://www.team-cymru.org/
>> PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> blog:    http://asert.arbor.net/
> twitter: @arbornetworks
> 