[nsp-sec] Help with DDOS attack against 67.43.132.27 (AS 4766, 4134 and others)

Mike Tancsa mike at sentex.net
Wed Apr 24 22:02:53 EDT 2013 

A customer's webserver is the target of a multi gigabit DDoS attack.  1024 byte UDP packets

It started around 01:30 UTC, April 25th.

The packets dont seem to be spoofed, but they might be.  Sample pcap at http://www.tancsa.com/AS11647-attack.zip

passwd is BIGUDP1024

The packets are nothing special. Just padded with 0x58. Size 1024. Ephemeral port seems to naturally increment and are not random which leads me to think they are not spoofed.  Usually the source ports have more randomness in spoofed packets.
eg

21:39:22.729051 IP 72.44.102.220.49993 > 67.43.132.27.33: UDP, length 1024
21:39:22.729062 IP 72.44.102.220.49993 > 67.43.132.27.33: UDP, length 1024
21:39:22.729176 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729302 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729426 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729436 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729562 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729677 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729801 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729804 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.729926 IP 72.44.102.220.49986 > 67.43.132.27.33: UDP, length 1024
21:39:22.731175 IP 72.44.102.220.49997 > 67.43.132.27.33: UDP, length 1024
21:39:22.731300 IP 72.44.102.220.49997 > 67.43.132.27.33: UDP, length 1024
21:39:22.731303 IP 72.44.102.220.49997 > 67.43.132.27.33: UDP, length 1024




577     | 69.158.119.117   | BACOM - Bell Canada
3786    | 1.215.146.156    | LGDACOM LG DACOM Corporation
3786    | 1.221.45.45      | LGDACOM LG DACOM Corporation
3786    | 123.142.73.180   | LGDACOM LG DACOM Corporation
4134    | 1.85.37.236      | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 113.245.36.154   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 115.216.15.114   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 180.142.191.181  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.76.31.19     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 222.76.210.103   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 222.89.46.76     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 49.75.179.14     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.181.34.157    | CHINANET-BACKBONE No.31,Jin-rong Street
4766    | 112.161.137.89   | KIXS-AS-KR Korea Telecom
4766    | 112.162.231.154  | KIXS-AS-KR Korea Telecom
4766    | 112.185.148.175  | KIXS-AS-KR Korea Telecom
4766    | 118.44.24.3      | KIXS-AS-KR Korea Telecom
4766    | 119.195.38.173   | KIXS-AS-KR Korea Telecom
4766    | 121.128.236.196  | KIXS-AS-KR Korea Telecom
4766    | 121.156.161.251  | KIXS-AS-KR Korea Telecom
4766    | 121.175.145.133  | KIXS-AS-KR Korea Telecom
4766    | 175.197.12.47    | KIXS-AS-KR Korea Telecom
4766    | 183.96.183.19    | KIXS-AS-KR Korea Telecom
4766    | 221.154.52.249   | KIXS-AS-KR Korea Telecom
4766    | 221.158.255.193  | KIXS-AS-KR Korea Telecom
4766    | 61.76.206.78     | KIXS-AS-KR Korea Telecom
4812    | 116.237.103.155  | CHINANET-SH-AP China Telecom (Group)
4837    | 120.11.245.177   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 125.37.141.19    | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 125.46.74.168    | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 218.25.197.134   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 221.203.207.126  | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 222.134.147.158  | CHINA169-BACKBONE CNCGROUP China169 Backbone
9318    | 118.221.58.185   | HANARO-AS Hanaro Telecom Inc.
9318    | 211.187.127.63   | HANARO-AS Hanaro Telecom Inc.
9811    | 219.237.197.147  | BJGY srit corp.,beijing.
10423   | 72.44.102.220    | SPARTAN-NET - Spartan-Net
14618   | 50.19.206.200    | AMAZON-AES - Amazon.com, Inc.
14618   | 54.243.58.26     | AMAZON-AES - Amazon.com, Inc.
17429   | 219.237.197.147  | BGCTVNET BEIJING GEHUA CATV NETWORK CO.LTD
17858   | 182.208.97.192   | KRNIC-ASBLOCK-AP KRNIC
17964   | 124.200.24.68    | DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
18313   | 110.47.225.50    | PCN-AS-KR CJ-CABLENET
18403   | 118.70.223.228   | FPT-AS-AP The Corporation for Financing & Promoting Technology
38103   | 123.254.169.239  | QRIXNETKS-AS-KR Kwangjinsongdong Cable Television Co,. Ltd.

Any help would be appreciated.

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the nsp-security mailing list