[nsp-sec] >37,000 Drone large botnet
Stephen Gill
gillsr at cymru.com
Wed Mar 6 21:03:37 EST 2013
I'm guessing spoofed with a pseudo-consistent source algo, though it would
be good to confirm with the would-be victim list.
Is the attack TCP SYN, or are you seeing any full connections established?
The reason is these look fishy:
NA | 2.15.34.45 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.15.45.8 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.10.154 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.102.50 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.103.133 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.106.100 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.107.71 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.11.12 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.114.186 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.15.164 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.16.182 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.18.58 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.19.156 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.19.76 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.20.14 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.201.152 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.21.192 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.21.32 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.22.210 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.22.50 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.221.112 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.24.169 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.25.184 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.25.24 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.26.122 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.28.78 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.30.34 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.31.132 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.40.134 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.42.170 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.43.108 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.44.214 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.48.118 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.49.216 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.57.120 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.59.76 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.6.82 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.62.1 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.69.16 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.69.176 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.7.180 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.7.20 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.71.212 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.74.186 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.74.26 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.75.124 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.75.44 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.78.178 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.8.118 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.8.198 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.8.38 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.89.56 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.9.136 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.9.216 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.9.56 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.90.74 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.91.172 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.94.146 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.95.70 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.96.22 | NA | FR | ripencc |
2010-07-12 | NA
NA | 2.7.97.40 | NA | FR | ripencc |
2010-07-12 | NA
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.team-cymru.org | +1 (847) 378-3323 | gillsr at cymru.com
On 3/6/13 6:54 PM, "Phil Rosenthal" <pr at isprime.com> wrote:
>----------- nsp-security Confidential --------
>
>Hello all,
>
>We've got a DDoS going against one of our customers at this time.
>
>*We are having no problem filtering the attack within our network, so
>please DO NOT blackhole anything on ISPrime's network.*
>
>We are posting this merely to help the community eliminate a large and
>dangerous botnet.
>
>
>This Botnet seems to be very intelligent/adaptive.
>We have discovered that the attack stops when we kill the webserver on
>the victim IP, but quickly starts back up again after restarting the
>webserver, and further that when we have filters in place to mitigate the
>attack, it levels out to only about 1Gbps (just to be annoying I guess?),
>but when the filters are removed, the attack increases to larger than
>16Gbps.
>
>The source IP's of the attack seem to be slowly rolling through a huge
>list, so each drone seems to remain idle for several minutes at a time,
>while others are carrying on the attack -- i assume to minimize
>disruption to the attack source networks and minimize the risk of
>detection.
>
>Also interesting is the huge number of IP addresses in 2.0.0.0/8
>3.0.0.0/8 and 4.0.0.0/8. Initially we believed the attack to be spoofed,
>but because of the high frequency of specific /32's within those /8's, we
>now believe that the attack is not spoofed (but would love evidence to
>the contrary).
>
>Attached to this email is a list of all IP's we have detected so far
>(though we know there are more IP's we have not yet detected due to this
>rolling nature). Perhaps we will post a follow-up later on if we are
>able to detect signifigant new IP addresses.
>
>
>We would love commentary from responsible parties for the below ASN's to
>confirm that you do in fact see attack behavior.
>The attack is TCP/80 SYN (varying sizes, 40, 44, and also some >1000 byte
>syn packets) , UDP/80
>Victim IP is 64.111.213.29
>
>Since we have effectively filtered the attack, we are seeing the attack
>only very sporadically now -- approximately 20 seconds every 5 minutes,
>so you would probably have to look at historical graphs for this anomaly.
>
>The list of ASN's we see in this attack are (first number is number of
>hits, second number is ASN, sorted from most to least):
>Hits ASN
>15780 3215
>7398 12576
>4466 30722
>1775 44957
> 979 3257
> 725 80
> 370 20940
> 329 31377
> 324 44034
> 301 3320
> 292 1273
> 288 29355
> 266 5607
> 254 3356
> 239 5384
> 238 1299
> 232 41440
> 221 12400
> 197 13285
> 193 5511
> 161 6762
> 156 3269
> 151 12874
> 144 3292
> 130 4436
> 113 25019
> 111 3243
> 110 4837
> 109 4134
> 100 6799
> 85 12880
> 72 3301
> 68 286
> 64 8402
> 61 NA
> 54 12638
> 52 3549
> 47 3209
> 46 16232
> 44 44178
> 40 16625
> 29 44244
> 28 9158
> 26 9198
> 26 3352
> 23 21788
> 21 48159
> 20 2119
> 17 3216
> 17 24608
> 16 6739
> 16 34164
> 12 9808
> 9 4812
> 8 4847
> 7 8997
> 7 4808
> 6 58313
> 6 56465
> 6 4538
> 6 15600
> 5 9318
> 5 4766
> 5 20825
> 5 197043
> 4 50810
> 4 38283
> 4 3786
> 4 35819
> 4 12222
> 3 9394
> 3 8966
> 3 719
> 3 6939
> 3 42689
> 3 35805
> 3 29247
> 3 24445
> 3 23650
> 3 17621
> 3 12683
> 2 9803
> 2 6813
> 2 56046
> 2 56041
> 2 5410
> 2 49687
> 2 45899
> 2 44050
> 2 40676
> 2 37943
> 2 35908
> 2 29761
> 2 29691
> 2 29286
> 2 28802
> 2 2856
> 2 24400
> 2 24085
> 2 20454
> 2 18450
> 2 18403
> 2 17816
> 2 17638
> 2 12332
> 1 Bulk
> 1 9845
> 1 9801
> 1 9272
> 1 9116
> 1 8708
> 1 8473
> 1 7643
> 1 7506
> 1 7018
> 1 61408
> 1 59703
> 1 59581
> 1 59441
> 1 59395
> 1 58688
> 1 58450
> 1 58243
> 1 57858
> 1 56047
> 1 56005
> 1 53845
> 1 51430
> 1 5089
> 1 50512
> 1 4835
> 1 4802
> 1 4788
> 1 47764
> 1 4760
> 1 47206
> 1 4645
> 1 45668
> 1 45528
> 1 45223
> 1 44574
> 1 42337
> 1 39906
> 1 39603
> 1 39020
> 1 38248
> 1 37986
> 1 37963
> 1 3790
> 1 36351
> 1 35662
> 1 35193
> 1 3491
> 1 34296
> 1 33934
> 1 33070
> 1 32613
> 1 3261
> 1 31721
> 1 31200
> 1 30217
> 1 30058
> 1 29456
> 1 28719
> 1 26464
> 1 25653
> 1 25233
> 1 25160
> 1 25151
> 1 24863
> 1 24530
> 1 24453
> 1 23974
> 1 23771
> 1 21844
> 1 21243
> 1 20978
> 1 20853
> 1 198885
> 1 18978
> 1 18881
> 1 18429
> 1 17974
> 1 17820
> 1 17672
> 1 17557
> 1 17547
> 1 17501
> 1 17444
> 1 16397
> 1 16276
> 1 15003
> 1 13768
> 1 132510
> 1 131353
> 1 10938
> 1 10029
> 1 10026
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list