[nsp-sec] DDoS help for Freenode

[Dave Monnier]

Team,

The folks at Freenode have requested help in stopping a ~10Gb UDP-based
attack affecting them.  They ask that people willing to help look for
UDP attack traffic going to the servers in this list to ID compromised
web servers.

203.30.57.15
110.173.227.184
218.100.43.174
110.173.227.184
206.190.157.76
203.30.57.15
94.125.182.252
78.40.125.4
213.92.8.4
84.240.3.129
213.179.58.83
93.152.160.101
62.231.75.133
83.170.73.249
82.96.64.4
130.239.18.172
86.65.39.15
195.148.124.79
193.219.128.49
174.143.119.91
38.229.70.20
208.80.155.68
128.237.157.136
68.68.97.74
64.32.24.176

403:9000:1000::15
2403:9000:1000::15
2a01:270:0:666f::1
2a03:280:0:1::1
2001:820:2::6
2a02:2f0c:8000:19:62:231:75:133
2001:6b0:e:2018::172
2001:708:40:2001:a822:baff:fec4:2428
2001:41c8:0:3ee::2
2001:4800:7802:53::b075
2620::861:52:208:80:155:68
2610:150:2c68::d0:dab:1de5

Additionally, if people are interested in filtering UDP to those IP the
help is apreciated.

Lastly, the controller is here:

hXXp://tcp.mn/h.txt

AS      | IP               | AS Name
50613   | 82.221.102.179   | THORDC-AS THOR Data Center ehf

CERT-IS has been notified but if anyone has a direct contact and can get
the control script taken down that would be great.  Even better, if
anyone can pull the logs for the script we can start notifying on the
compromised servers.

Thanks!
-Dave


-- 
Dave Monnier
Team Cymru Fellow
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20140203/1ced1c18/attachment-0001.sig>