[nsp-sec] DoS from Microsoft AS8075 - any useful contacts there?

Peter Moody pmoody at google.com
Thu Apr 11 17:45:45 EDT 2013 

try Monika Machado, monikama at microsoft.com. She's on nsp-sec (and was
posting as of January).

On Thu, Apr 11, 2013 at 2:43 PM, James A. T. Rice
<james_r-nsp at jump.org.uk> wrote:
> ----------- nsp-security Confidential --------
>
>
> Greetings,
>
> I'm having a very difficult time getting a response out of Microsoft AS8075, and we're seeing >1Gbps DoS from them to a customer over our peerings with them (which is filling the customers connection with us).
>
> I've tried: secure at microsoft.com, who responded saying I needed to fill in the form at https://cert.microsoft.com/ , this has been done, including netflow and sflow data and pcap capture, but without any reply, the attacks have since intensified, so I've tried calling their number in peeringdb, but got someone who was pretty unintelligible on the 1000ms+ RTT VoIP connection they were using. They asked me to email msnalert at microsoft.com, mocalert at direct.microsoft.com, the latter of which bounced, and the former sounds like instant messenger trouble :/
>
> Incidentally does anyone recognise the attack tool? Seeing lots of the following, several ~150Mbps streams, all UDP to the same destination port, same source port for a given source host, and a source IP address with an unusual 0 for the last octet in one case:
>
> 17:56:40.485868 84:18:88:94:97:c0 > 00:13:5f:1f:eb:00, ethertype 802.1Q (0x8100), length 1518: vlan 1100, p 0, ethertype IPv4, (tos 0x0, ttl 56, id 30701, offset 0, flags [+], proto UDP (17), length 1500)
>     137.117.85.0.1249 > 193.0.159.89.25565: UDP, length 2048
> .L..E...w. .8..T.uU....Y..c....tflood...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!
> .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
>
> Thanks
> James Rice
> Jump Networks Ltd
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________



-- 
[ Peter Moody | Security Engineer | Google ]

More information about the nsp-security mailing list