[nsp-sec] ddos against 1and1

Dirk Stander dst+nsp-sec at glaskugel.org
Sun Mar 3 14:03:45 EST 2013 

1&1 is currently suffering a ddos attack against various portal sites.
It's a SYN flood, most probably spoofed, targeting the following IPs:

www.1and1.com TCP/80 (74.208.4.60),
admin.1and1.com TCP/443 (74.208.4.5) and
www.1and1.fr TCP/80 (212.227.216.63)

some packets:

14:49:47.291177 IP 202.102.60.209.31488 > 74.208.4.60.80: Flags [S], seq 3271755367, win 17473, options [mss 1460], length 0
        0x0000:  4500 002c 119b 4000 6d06 a5ed ca66 3cd1  E..,.. at .m....f<.
        0x0010:  4ad0 043c 7b00 0050 c303 0667 0000 0000  J..<{..P...g....
        0x0020:  6002 4441 b8e6 0000 0204 05b4 0000       `.DA..........
14:49:47.291177 IP 210.83.251.230.7729 > 74.208.4.60.80: Flags [S], seq 4229991952, win 17473, options [mss 1460], length 0
        0x0000:  4500 002c 2d38 4000 6e06 c24d d253 fbe6  E..,-8 at .n..M.S..
        0x0010:  4ad0 043c 1e31 0050 fc20 8e10 0000 0000  J..<.1.P........
        0x0020:  6002 4441 8dec 0000 0204 05b4 0000       `.DA..........
14:49:47.291178 IP 218.108.200.138.19477 > 74.208.4.60.80: Flags [S], seq 2466540794, win 17473, options [mss 1460], length 0
        0x0000:  4500 002c 2d4f 4000 6e06 ed79 da6c c88a  E..,-O at .n..y.l..
        0x0010:  4ad0 043c 4c15 0050 9304 6cfa 0000 0000  J..<L..P..l.....
        0x0020:  6002 4441 157e 0000 0204 05b4 0000       `.DA.~........
14:49:47.291179 IP 210.73.93.102.38701 > 74.208.4.60.80: Flags [S], seq 2035612187, win 17473, options [mss 1460], length 0
        0x0000:  4500 002c 429a 4000 7206 4776 d249 5d66  E..,B. at .r.Gv.I]f
        0x0010:  4ad0 043c 972d 0050 7954 fa1b 0000 0000  J..<.-.PyT......
        0x0020:  6002 4441 ca3b 0000 0204 05b4 0000       `.DA.;........

(the window size of 17473 seems to be a constant pattern)

The attack started today 2013-03-03, at 4:55 UTC with about 1.0Gbit/s (1.50M P/s)
against each target, with a peak at 8:30 UTC with 6.20Gbit/s (10.80M P/s).
The attack is ongoing and has an aggregated bandwith of about 20Gbit/s.

A good amount of the traffic enters 1&1:s backbone in Amsterdam coming from
Level3.

Does anyone recognise this attack pattern or has any intel about the botnet
used?

        Thanks, Dirk Stander

More information about the nsp-security mailing list