[nsp-sec] TCP SYN DDoS on ING/COLT router
Dave Woutersen (NCSC-NL)
dave.woutersen at ncsc.nl
Tue Apr 16 07:02:49 EDT 2013
Hi folks,
On Sunday a core router of the Dutch Bank ING, on a COLT link, got some
spoofed packet love killing the router as it was logging as well, details
below. Question is, did any one see any outgoing SYN traffic from their
network? We are obviously curious whats behind these attacks. The ING has
been dealing with several different attacks over the past two weeks,
ranging from syn flooding, UDP Chargen amplification attacks and DNS
amplification attacks on different parts of their infrastructure so we
suspect the use of a range of different botnets and tools but so far no
solid leads. These attacks are under the investigation of law enforcement.
The attack last Sunday (SYN FLOOD):
Begin Time: Sunday 14 April 2013, 20:39 CEST (+0200)
End Time: Sunday 14 April 2013, 20:42 CEST (+0200)
Source: SPOOFED
Destination: 213.208.249.118 TCP/80*
Attack Details
IP flags 0
IP Time-to-live > 250
TCP flags SYN
TCP Sequence ID 0
TCP Window size 5840
Notes
The Begin Time and End Time specified in the Incident Details only reflect
the data provided by the packet captures. The actual attack may exceed
these timestamps.
Thx for checking!
Kind regards,
Dave Woutersen
--
Dave Woutersen
Security Specialist
+++++++++++++++++++++++++++++++++
National Cyber Security Centre
P-O- Box 117 | 2501 CC| The Hague | Netherlands| www.ncsc.nl
+++++++++++++++++++++++++++++++++
T +31 70 888 75 55 E dave.woutersen at ncsc.nl
PgP F52A F649 3EC9 CFC1 4F2D 95EC 22FF 43AD
+++++++++++++++++++++++++++++++++
More information about the nsp-security
mailing list