[nsp-sec] >37,000 Drone large botnet

Phil Rosenthal pr at isprime.com
Wed Mar 6 20:54:38 EST 2013 

Hello all,

We've got a DDoS going against one of our customers at this time.

*We are having no problem filtering the attack within our network, so please DO NOT blackhole anything on ISPrime's network.*

We are posting this merely to help the community eliminate a large and dangerous botnet.


This Botnet seems to be very intelligent/adaptive.
We have discovered that the attack stops when we kill the webserver on the victim IP, but quickly starts back up again after restarting the webserver, and further that when we have filters in place to mitigate the attack, it levels out to only about 1Gbps (just to be annoying I guess?), but when the filters are removed, the attack increases to larger than 16Gbps.

The source IP's of the attack seem to be slowly rolling through a huge list, so each drone seems to remain idle for several minutes at a time, while others are carrying on the attack -- i assume to minimize disruption to the attack source networks and minimize the risk of detection.

Also interesting is the huge number of IP addresses in 2.0.0.0/8 3.0.0.0/8 and 4.0.0.0/8.  Initially we believed the attack to be spoofed, but because of the high frequency of specific /32's within those /8's, we now believe that the attack is not spoofed (but would love evidence to the contrary).

Attached to this email is a list of all IP's we have detected so far (though we know there are more IP's we have not yet detected due to this rolling nature).  Perhaps we will post a follow-up later on if we are able to detect signifigant new IP addresses.


We would love commentary from responsible parties for the below ASN's to confirm that you do in fact see attack behavior.
The attack is TCP/80 SYN (varying sizes, 40, 44, and also some >1000 byte syn packets) , UDP/80
Victim IP is 64.111.213.29

Since we have effectively filtered the attack, we are seeing the attack only very sporadically now -- approximately 20 seconds every 5 minutes, so you would probably have to look at historical graphs for this anomaly.

The list of ASN's we see in this attack are (first number is number of hits, second number is ASN, sorted from most to least):
Hits		ASN
15780 3215
7398 12576
4466 30722
1775 44957
 979 3257
 725 80
 370 20940
 329 31377
 324 44034
 301 3320
 292 1273
 288 29355
 266 5607
 254 3356
 239 5384
 238 1299
 232 41440
 221 12400
 197 13285
 193 5511
 161 6762
 156 3269
 151 12874
 144 3292
 130 4436
 113 25019
 111 3243
 110 4837
 109 4134
 100 6799
  85 12880
  72 3301
  68 286
  64 8402
  61 NA
  54 12638
  52 3549
  47 3209
  46 16232
  44 44178
  40 16625
  29 44244
  28 9158
  26 9198
  26 3352
  23 21788
  21 48159
  20 2119
  17 3216
  17 24608
  16 6739
  16 34164
  12 9808
   9 4812
   8 4847
   7 8997
   7 4808
   6 58313
   6 56465
   6 4538
   6 15600
   5 9318
   5 4766
   5 20825
   5 197043
   4 50810
   4 38283
   4 3786
   4 35819
   4 12222
   3 9394
   3 8966
   3 719
   3 6939
   3 42689
   3 35805
   3 29247
   3 24445
   3 23650
   3 17621
   3 12683
   2 9803
   2 6813
   2 56046
   2 56041
   2 5410
   2 49687
   2 45899
   2 44050
   2 40676
   2 37943
   2 35908
   2 29761
   2 29691
   2 29286
   2 28802
   2 2856
   2 24400
   2 24085
   2 20454
   2 18450
   2 18403
   2 17816
   2 17638
   2 12332
   1 Bulk
   1 9845
   1 9801
   1 9272
   1 9116
   1 8708
   1 8473
   1 7643
   1 7506
   1 7018
   1 61408
   1 59703
   1 59581
   1 59441
   1 59395
   1 58688
   1 58450
   1 58243
   1 57858
   1 56047
   1 56005
   1 53845
   1 51430
   1 5089
   1 50512
   1 4835
   1 4802
   1 4788
   1 47764
   1 4760
   1 47206
   1 4645
   1 45668
   1 45528
   1 45223
   1 44574
   1 42337
   1 39906
   1 39603
   1 39020
   1 38248
   1 37986
   1 37963
   1 3790
   1 36351
   1 35662
   1 35193
   1 3491
   1 34296
   1 33934
   1 33070
   1 32613
   1 3261
   1 31721
   1 31200
   1 30217
   1 30058
   1 29456
   1 28719
   1 26464
   1 25653
   1 25233
   1 25160
   1 25151
   1 24863
   1 24530
   1 24453
   1 23974
   1 23771
   1 21844
   1 21243
   1 20978
   1 20853
   1 198885
   1 18978
   1 18881
   1 18429
   1 17974
   1 17820
   1 17672
   1 17557
   1 17547
   1 17501
   1 17444
   1 16397
   1 16276
   1 15003
   1 13768
   1 132510
   1 131353
   1 10938
   1 10029
   1 10026

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 37kbotnet-march-6-2013
Type: application/octet-stream
Size: 4276578 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130306/20593a1f/attachment-0001.obj>

More information about the nsp-security mailing list