[nsp-sec] ongoing DOS Against 64.7.135.158 (19:00 UTC)
Rob Thomas
robt at cymru.com
Mon Oct 15 17:19:45 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Mike,
> We are dealing a large (for us) attack against a colo customer. It
> seems to be a classic DNS reflection attack that started around 18:30
> UTC (2:30 EDT) and would appreciate any help we can get
>
>
> packet dump below as well as attacking IPs. The attack is ongoing right
> now. I would appreciate any help in mitigating the attack as I see it
> coming in all my connections. Feel free to block UDP DNS requests from
> 64.7.135.158 for the next 12hrs if thats doable. Its not supposed to be
> a resolver for anything and the attacker is just spoofing the requests
Sorry to hear about the attack!
We see at least one of the C&C nodes involved:
vitagilp.ru 85.25.145.60
armab.ru 85.25.145.60
The vitagilp.ru C&C is by far the most active one against you. This is
a Pandora botnet.
The attack commands were issued against https://www.preferred411.com/
specifically. Looks like the first attack was issued on or about
2012-10-15 16:00:04 UTC and the most recent attack was issued on or
about 2012-10-15 20:58:00 UTC.
There of course may be other C&Cs involved.
Thanks,
Rob.
- --
R' Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
-----BEGIN PGP SIGNATURE-----
iQCVAwUBUHx98VkX3QAo5sgJAQITLwP/a5mIZpQZhlLnYpHrViCjG0mdw3FBp+NK
vAy9tnVieiq85h29fJD6Tpjn4Jv8dg+56XpeZXFlX6xKLh1jigSDX/iI+y1lwrAU
99InYkDDLkZ1M8uhIv9RZdgi574jbaPvC1fx6b6E70NH2hfK+fyRN9mAeaf5yUjo
si569XlCWr4=
=PJnP
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list