[nsp-sec] ddos against 1and1

Buraglio, Nicholas D buraglio at illinois.edu
Sun Mar 3 15:32:39 EST 2013 

This looks suspiciously like the one we saw yesterday.  Ill tap our guy who was decoding it and see if the window size matches.  

--
nb

On Mar 3, 2013, at 1:04 PM, "Dirk Stander" <dst+nsp-sec at glaskugel.org> wrote:

> ----------- nsp-security Confidential --------
> 
> 1&1 is currently suffering a ddos attack against various portal sites.
> It's a SYN flood, most probably spoofed, targeting the following IPs:
> 
> www.1and1.com TCP/80 (74.208.4.60),
> admin.1and1.com TCP/443 (74.208.4.5) and
> www.1and1.fr TCP/80 (212.227.216.63)
> 
> some packets:
> 
> 14:49:47.291177 IP 202.102.60.209.31488 > 74.208.4.60.80: Flags [S], seq 3271755367, win 17473, options [mss 1460], length 0
>        0x0000:  4500 002c 119b 4000 6d06 a5ed ca66 3cd1  E..,.. at .m....f<.
>        0x0010:  4ad0 043c 7b00 0050 c303 0667 0000 0000  J..<{..P...g....
>        0x0020:  6002 4441 b8e6 0000 0204 05b4 0000       `.DA..........
> 14:49:47.291177 IP 210.83.251.230.7729 > 74.208.4.60.80: Flags [S], seq 4229991952, win 17473, options [mss 1460], length 0
>        0x0000:  4500 002c 2d38 4000 6e06 c24d d253 fbe6  E..,-8 at .n..M.S..
>        0x0010:  4ad0 043c 1e31 0050 fc20 8e10 0000 0000  J..<.1.P........
>        0x0020:  6002 4441 8dec 0000 0204 05b4 0000       `.DA..........
> 14:49:47.291178 IP 218.108.200.138.19477 > 74.208.4.60.80: Flags [S], seq 2466540794, win 17473, options [mss 1460], length 0
>        0x0000:  4500 002c 2d4f 4000 6e06 ed79 da6c c88a  E..,-O at .n..y.l..
>        0x0010:  4ad0 043c 4c15 0050 9304 6cfa 0000 0000  J..<L..P..l.....
>        0x0020:  6002 4441 157e 0000 0204 05b4 0000       `.DA.~........
> 14:49:47.291179 IP 210.73.93.102.38701 > 74.208.4.60.80: Flags [S], seq 2035612187, win 17473, options [mss 1460], length 0
>        0x0000:  4500 002c 429a 4000 7206 4776 d249 5d66  E..,B. at .r.Gv.I]f
>        0x0010:  4ad0 043c 972d 0050 7954 fa1b 0000 0000  J..<.-.PyT......
>        0x0020:  6002 4441 ca3b 0000 0204 05b4 0000       `.DA.;........
> 
> (the window size of 17473 seems to be a constant pattern)
> 
> The attack started today 2013-03-03, at 4:55 UTC with about 1.0Gbit/s (1.50M P/s)
> against each target, with a peak at 8:30 UTC with 6.20Gbit/s (10.80M P/s).
> The attack is ongoing and has an aggregated bandwith of about 20Gbit/s.
> 
> A good amount of the traffic enters 1&1:s backbone in Amsterdam coming from
> Level3.
> 
> Does anyone recognise this attack pattern or has any intel about the botnet
> used?
> 
>        Thanks, Dirk Stander
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list