[nsp-sec] 80/tcp synflood to 203.202.1.63

Dave Monnier dmonnier at cymru.com
Wed Mar 14 10:25:18 EDT 2012 

Hi, Scott.

Nothing here, sorry.

Cheers,
-Dave


On 3/13/12 11:25 PM, Scott A. McIntyre wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> Hi all,
> 
> 203.202.1.63 is currently feeling a 30K/second SYN flood to 80/tcp and would appreciate some eyes looking for sources, C&C, etc.  Below is a tiny snippet from the logs, and NOT representative of the total number of unique sources (working on that) but if anyone has any intel or ability to offer assistance it would be sincerely appreciated.
> 
> I'm not the destination here, I'm just helping some friends out.  The attack began on 14 March 0800+1100.
> 
> Thanks for any assistance, as always!
> 
> Scott A. McIntyre
> Telstra
> 
> 
> 
> 
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 200.63.232.74/1596 to 203.202.1.63/80, using protocol TCP (on zone EX= TERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 186.54.135.102/65297 to 203.202.1.63/80, using protocol TCP (on zone = EXTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 177.34.187.173/54297 to 203.202.1.63/80, using protocol TCP (on zone = EXTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 190.135.37.235/3044 to 203.202.1.63/80, using protocol TCP (on zone E= XTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 201.8.185.200/19823 to 203.202.1.63/80, using protocol TCP (on zone E= XTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 189.56.106.2/60319 to 203.202.1.63/80, using protocol TCP (on zone EX= TERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 186.203.39.36/61969 to 203.202.1.63/80, using protocol TCP (on zone E= XTERNAL,interface ethernet2/1) occurred 3 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 189.127.190.108/59023 to 203.202.1.63/80, using protocol TCP (on zone= EXTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 177.18.191.116/52328 to 203.202.1.63/80, using protocol TCP (on zone = EXTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 200.163.2.215/4640 to 203.202.1.63/80, using protocol TCP (on zone EX= TERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 189.108.66.74/3232 to 203.202.1.63/80, using protocol TCP (on zone EX= TERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 37.107.46.253/3474 to 203.202.1.63/80, using protocol TCP (on zone EX= TERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 183.89.104.216/5170 to 203.202.1.63/80, using protocol TCP (on zone E= XTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 190.75.73.191/59785 to 203.202.1.63/80, using protocol TCP (on zone E= XTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 200.1.208.2/15244 to 203.202.1.63/80, using protocol TCP (on zone EXT= ERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 197.2.43.20/65112 to 203.202.1.63/80, using protocol TCP (on zone EXT= ERNAL,interface ethernet2/1) occurred 2 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 187.14.227.213/50201 to 203.202.1.63/80, using protocol TCP (on zone = EXTERNAL,interface ethernet2/1) occurred 1 times=20
> 2012-03-14 11:09:19 crit  Destination session threshold has been exceeded!,= From 118.174.105.171/64339 to 203.202.1.63/80, using protocol TCP (on zone= EXTERNAL,interface ethernet2/1) occurred 2 times
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


-- 
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120314/7234a30c/attachment-0001.sig>

More information about the nsp-security mailing list