[nsp-sec] Ongoing DDoS against illinois.edu

Warren Raquel wraquel at illinois.edu
Mon Mar 4 11:23:22 EST 2013 

This was the time window for both of our attacks. Packets were 46 bytes
with just the SYN flag set. I used this filter for nfsen:

"proto TCP and (flags S and not flags AFRPU) and host <target> and bytes 46"

It seemed to filter out the syn flood exclusively.

Attack 1 - CST (-0600)
Began: 2013-03-01 21:29:33.387
Ceased: 2013-03-01 23:34:59.297

Attack 2 - CST (-0600)
Began: 2013-03-02 07:22:58.140
Ceased: 2013-03-02 09:19:59.505

On 3/2/2013 12:18 PM, Buraglio, Nicholas D wrote:
> ----------- nsp-security Confidential --------
> 
> Ill grab the actual time stamps but the rough window was midnight 3/2 until 9ish am 3/2. 
> 
> --
> nb
> 
> On Mar 2, 2013, at 12:09 PM, "Michael Sinatra" <michael at rancid.berkeley.edu> wrote:
> 
>> I have found at least a few in ESnet's address space that are clearly non-existent, but I am also checking netflow, as there are a few others in our site space that pop up in your list.
>>
>> There are also two UCB hosts that may be legitimate wireless hosts; I'll have Rune Stromsness check on those (has he been added to nsp-sec yet?).
>>
>> If you have start/stop timestamps, that would be great; otherwise, I'll infer timing from your emails.
>>
>> On 3/2/13 8:58 AM, Buraglio, Nicholas D wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> It's mostly died off at this point. Thanks for looking, would appreciate ay other views and will report more as we find it. We saw a noticeable increase in ICMP around 11:30pm central last night right before it really ramped up.
>>>
>>> --
>>> nb
>>>
>>> On Mar 2, 2013, at 10:47 AM, "Joel Rosenblatt" <joel at columbia.edu> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a feeing that at least a few of these are spoofed addresses, since the one Columbia address does not seem to be hooked up to anything on our side.
>>>>
>>>> IP  Subnet [Assignment]
>>>> 160.39.31.129 160.39.31.128/25 [Available (Expansion space)]
>>>> ARP cache
>>>> IP  MAC  Last Seen
>>>>
>>>>
>>>> I know it's a small sample, but that's all I have :-)
>>>>
>>>> good luck,
>>>> Joel
>>>>
>>>> --On Saturday, March 02, 2013 4:01 PM +0000 "Buraglio, Nicholas D" <buraglio at illinois.edu> wrote:
>>>>
>>>>> ----------- nsp-security Confidential --------
>>>>
>>>>
>>>>
>>>> Joel Rosenblatt, Director, Network & Computer Security
>>>> Columbia Information Security Office (CISO)
>>>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>>>> https://urldefense.proofpoint.com/v1/url?u=http://www.columbia.edu/~joel&k=vZmRmPH71G9OwO4uOkVZWw%3D%3D%0A&r=6s7Ar3%2BXsFFbZ0qtWcTqudx9hfzKi7ngtdLV0YNhEbE%3D%0A&m=2bXWMLcwJ0mD0TNy7xAFa%2FLaXNAbLxXbtd3Y1ATfd%2BE%3D%0A&s=07a20f7d978855d27e86841ce3aa03077a0705a37886a0790fc8cf8bd80267b3
>>>> Public PGP key
>>>> https://urldefense.proofpoint.com/v1/url?u=http://pgp.mit.edu:11371/pks/lookup?op%3Dget%26search%3D0x90BD740BCC7326C3&k=vZmRmPH71G9OwO4uOkVZWw%3D%3D%0A&r=6s7Ar3%2BXsFFbZ0qtWcTqudx9hfzKi7ngtdLV0YNhEbE%3D%0A&m=2bXWMLcwJ0mD0TNy7xAFa%2FLaXNAbLxXbtd3Y1ATfd%2BE%3D%0A&s=352630169196a5702aeb11f7338643b2144d9afea969fade8fbac9e1bc448176
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://urldefense.proofpoint.com/v1/url?u=https://puck.nether.net/mailman/listinfo/nsp-security&k=vZmRmPH71G9OwO4uOkVZWw%3D%3D%0A&r=6s7Ar3%2BXsFFbZ0qtWcTqudx9hfzKi7ngtdLV0YNhEbE%3D%0A&m=2bXWMLcwJ0mD0TNy7xAFa%2FLaXNAbLxXbtd3Y1ATfd%2BE%3D%0A&s=759bbcdf641556f61e815633d3a9179a3924d2497e4b2698d3f1aab21e6171db
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>>
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://urldefense.proofpoint.com/v1/url?u=https://puck.nether.net/mailman/listinfo/nsp-security&k=vZmRmPH71G9OwO4uOkVZWw%3D%3D%0A&r=6s7Ar3%2BXsFFbZ0qtWcTqudx9hfzKi7ngtdLV0YNhEbE%3D%0A&m=2bXWMLcwJ0mD0TNy7xAFa%2FLaXNAbLxXbtd3Y1ATfd%2BE%3D%0A&s=759bbcdf641556f61e815633d3a9179a3924d2497e4b2698d3f1aab21e6171db
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 

-- 
Warren Raquel
Sr. IT Security Analyst
CITES Security
University of Illinois Urbana-Champaign

More information about the nsp-security mailing list