[nsp-sec] >37,000 Drone large botnet
Phil Rosenthal
pr at isprime.com
Wed Mar 6 21:37:50 EST 2013
Yes I saw that too, but a very small number of IP's are "NA" compared to the entire list of 37,000.
We are seeing a limited number of full connections, but due to the nature of the huge size of the attack, and the fact that it's a very small customer with weak equipment, confirming huge numbers of 3-way connections would be impractical.
-Phil
On Mar 6, 2013, at 9:03 PM, Stephen Gill <gillsr at cymru.com> wrote:
> I'm guessing spoofed with a pseudo-consistent source algo, though it would
> be good to confirm with the would-be victim list.
>
> Is the attack TCP SYN, or are you seeing any full connections established?
>
> The reason is these look fishy:
>
> NA | 2.15.34.45 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.15.45.8 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.10.154 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.102.50 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.103.133 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.106.100 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.107.71 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.11.12 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.114.186 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.15.164 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.16.182 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.18.58 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.19.156 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.19.76 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.20.14 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.201.152 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.21.192 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.21.32 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.22.210 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.22.50 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.221.112 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.24.169 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.25.184 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.25.24 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.26.122 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.28.78 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.30.34 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.31.132 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.40.134 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.42.170 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.43.108 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.44.214 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.48.118 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.49.216 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.57.120 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.59.76 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.6.82 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.62.1 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.69.16 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.69.176 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.7.180 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.7.20 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.71.212 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.74.186 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.74.26 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.75.124 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.75.44 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.78.178 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.8.118 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.8.198 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.8.38 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.89.56 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.9.136 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.9.216 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.9.56 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.90.74 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.91.172 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.94.146 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.95.70 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.96.22 | NA | FR | ripencc |
> 2010-07-12 | NA
> NA | 2.7.97.40 | NA | FR | ripencc |
> 2010-07-12 | NA
>
>
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.team-cymru.org | +1 (847) 378-3323 | gillsr at cymru.com
>
>
>
>
> On 3/6/13 6:54 PM, "Phil Rosenthal" <pr at isprime.com> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> Hello all,
>>
>> We've got a DDoS going against one of our customers at this time.
>>
>> *We are having no problem filtering the attack within our network, so
>> please DO NOT blackhole anything on ISPrime's network.*
>>
>> We are posting this merely to help the community eliminate a large and
>> dangerous botnet.
>>
>>
>> This Botnet seems to be very intelligent/adaptive.
>> We have discovered that the attack stops when we kill the webserver on
>> the victim IP, but quickly starts back up again after restarting the
>> webserver, and further that when we have filters in place to mitigate the
>> attack, it levels out to only about 1Gbps (just to be annoying I guess?),
>> but when the filters are removed, the attack increases to larger than
>> 16Gbps.
>>
>> The source IP's of the attack seem to be slowly rolling through a huge
>> list, so each drone seems to remain idle for several minutes at a time,
>> while others are carrying on the attack -- i assume to minimize
>> disruption to the attack source networks and minimize the risk of
>> detection.
>>
>> Also interesting is the huge number of IP addresses in 2.0.0.0/8
>> 3.0.0.0/8 and 4.0.0.0/8. Initially we believed the attack to be spoofed,
>> but because of the high frequency of specific /32's within those /8's, we
>> now believe that the attack is not spoofed (but would love evidence to
>> the contrary).
>>
>> Attached to this email is a list of all IP's we have detected so far
>> (though we know there are more IP's we have not yet detected due to this
>> rolling nature). Perhaps we will post a follow-up later on if we are
>> able to detect signifigant new IP addresses.
>>
>>
>> We would love commentary from responsible parties for the below ASN's to
>> confirm that you do in fact see attack behavior.
>> The attack is TCP/80 SYN (varying sizes, 40, 44, and also some >1000 byte
>> syn packets) , UDP/80
>> Victim IP is 64.111.213.29
>>
>> Since we have effectively filtered the attack, we are seeing the attack
>> only very sporadically now -- approximately 20 seconds every 5 minutes,
>> so you would probably have to look at historical graphs for this anomaly.
>>
>> The list of ASN's we see in this attack are (first number is number of
>> hits, second number is ASN, sorted from most to least):
>> Hits ASN
>> 15780 3215
>> 7398 12576
>> 4466 30722
>> 1775 44957
>> 979 3257
>> 725 80
>> 370 20940
>> 329 31377
>> 324 44034
>> 301 3320
>> 292 1273
>> 288 29355
>> 266 5607
>> 254 3356
>> 239 5384
>> 238 1299
>> 232 41440
>> 221 12400
>> 197 13285
>> 193 5511
>> 161 6762
>> 156 3269
>> 151 12874
>> 144 3292
>> 130 4436
>> 113 25019
>> 111 3243
>> 110 4837
>> 109 4134
>> 100 6799
>> 85 12880
>> 72 3301
>> 68 286
>> 64 8402
>> 61 NA
>> 54 12638
>> 52 3549
>> 47 3209
>> 46 16232
>> 44 44178
>> 40 16625
>> 29 44244
>> 28 9158
>> 26 9198
>> 26 3352
>> 23 21788
>> 21 48159
>> 20 2119
>> 17 3216
>> 17 24608
>> 16 6739
>> 16 34164
>> 12 9808
>> 9 4812
>> 8 4847
>> 7 8997
>> 7 4808
>> 6 58313
>> 6 56465
>> 6 4538
>> 6 15600
>> 5 9318
>> 5 4766
>> 5 20825
>> 5 197043
>> 4 50810
>> 4 38283
>> 4 3786
>> 4 35819
>> 4 12222
>> 3 9394
>> 3 8966
>> 3 719
>> 3 6939
>> 3 42689
>> 3 35805
>> 3 29247
>> 3 24445
>> 3 23650
>> 3 17621
>> 3 12683
>> 2 9803
>> 2 6813
>> 2 56046
>> 2 56041
>> 2 5410
>> 2 49687
>> 2 45899
>> 2 44050
>> 2 40676
>> 2 37943
>> 2 35908
>> 2 29761
>> 2 29691
>> 2 29286
>> 2 28802
>> 2 2856
>> 2 24400
>> 2 24085
>> 2 20454
>> 2 18450
>> 2 18403
>> 2 17816
>> 2 17638
>> 2 12332
>> 1 Bulk
>> 1 9845
>> 1 9801
>> 1 9272
>> 1 9116
>> 1 8708
>> 1 8473
>> 1 7643
>> 1 7506
>> 1 7018
>> 1 61408
>> 1 59703
>> 1 59581
>> 1 59441
>> 1 59395
>> 1 58688
>> 1 58450
>> 1 58243
>> 1 57858
>> 1 56047
>> 1 56005
>> 1 53845
>> 1 51430
>> 1 5089
>> 1 50512
>> 1 4835
>> 1 4802
>> 1 4788
>> 1 47764
>> 1 4760
>> 1 47206
>> 1 4645
>> 1 45668
>> 1 45528
>> 1 45223
>> 1 44574
>> 1 42337
>> 1 39906
>> 1 39603
>> 1 39020
>> 1 38248
>> 1 37986
>> 1 37963
>> 1 3790
>> 1 36351
>> 1 35662
>> 1 35193
>> 1 3491
>> 1 34296
>> 1 33934
>> 1 33070
>> 1 32613
>> 1 3261
>> 1 31721
>> 1 31200
>> 1 30217
>> 1 30058
>> 1 29456
>> 1 28719
>> 1 26464
>> 1 25653
>> 1 25233
>> 1 25160
>> 1 25151
>> 1 24863
>> 1 24530
>> 1 24453
>> 1 23974
>> 1 23771
>> 1 21844
>> 1 21243
>> 1 20978
>> 1 20853
>> 1 198885
>> 1 18978
>> 1 18881
>> 1 18429
>> 1 17974
>> 1 17820
>> 1 17672
>> 1 17557
>> 1 17547
>> 1 17501
>> 1 17444
>> 1 16397
>> 1 16276
>> 1 15003
>> 1 13768
>> 1 132510
>> 1 131353
>> 1 10938
>> 1 10029
>> 1 10026
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>
More information about the nsp-security
mailing list