[nsp-sec] Attacks towards AS15594, Sipgate
宫一鸣
gongyiming at 360.cn
Fri Oct 24 06:49:27 EDT 2014
Of the 3 blocks, I see the 217.10.64.0/24 having a spike around 1am today (GMT+8), mainly udp ssdp attack going to 217.10.68.147 on its’ 80 port.
I have also attached a diagram which shows the spike. [cid:A6AEDE0D-02CF-4009-9329-28985C56EAC7 at corp.qihoo.net]
2014-10-24 00:59:41.000 0.000 UDP 1.202.43.148:1900 -> 217.10.68.147:80 ...... 16 1 350 1
2014-10-24 00:59:42.000 0.000 UDP 1.202.74.85:1900 -> 217.10.68.147:80 ...... 0 1 356 1
2014-10-24 00:59:42.000 0.000 UDP 1.202.102.200:1900 -> 217.10.68.147:80 ...... 0 1 362 1
2014-10-24 00:59:45.000 0.000 UDP 1.202.11.27:1900 -> 217.10.68.147:80 ...... 16 1 284 1
2014-10-24 00:59:40.000 6.000 UDP 1.202.98.6:1900 -> 217.10.68.147:80 ...... 0 2 678 1
2014-10-24 00:59:47.000 0.000 UDP 1.202.64.217:1900 -> 217.10.68.147:80 ...... 0 1 284 1
2014-10-24 00:59:48.000 0.000 UDP 1.202.86.12:1900 -> 217.10.68.147:80 ...... 0 1 334 1
2014-10-24 00:59:48.000 0.000 UDP 217.10.68.147:80 -> 1.202.1.238:1900 ...... 0 1 122 1
2014-10-24 00:59:49.000 0.000 UDP 1.202.106.2:1900 -> 217.10.68.147:80 ...... 0 1 310 1
2014-10-24 00:59:52.000 0.000 UDP 1.202.49.119:1900 -> 217.10.68.147:80 ...... 1 1 332 1
2014-10-24 00:59:53.000 0.000 UDP 217.10.68.147:80 -> 1.202.74.85:1900 ...... 0 1 122 1
2014-10-24 00:59:53.000 0.000 UDP 1.202.116.244:1900 -> 217.10.68.147:80 ...... 0 1 320 1
2014-10-24 00:59:54.000 0.000 UDP 1.202.6.117:1900 -> 217.10.68.147:80 ...... 0 1 348 1
2014-10-24 00:59:57.000 0.000 UDP 1.202.63.82:1900 -> 217.10.68.147:80 ...... 16 1 332 1
2014-10-24 00:59:59.000 0.000 UDP 1.202.63.130:1900 -> 217.10.68.147:80 ...... 0 1 276 1
2014-10-24 01:00:01.000 0.000 UDP 1.202.80.213:1900 -> 217.10.68.147:80 ...... 16 1 364 1
2014-10-24 01:00:01.000 0.000 UDP 1.202.119.239:1900 -> 217.10.68.147:80 ...... 16 1 310 1
2014-10-24 01:00:04.000 0.000 UDP 1.202.79.249:1900 -> 217.10.68.147:80 ...... 1 1 310 1
2014-10-24 01:00:04.000 0.000 UDP 1.202.9.45:1900 -> 217.10.68.147:80 ...... 16 1 356 1
2014-10-24 01:00:05.000 0.000 UDP 1.202.80.153:1900 -> 217.10.68.147:80 ...... 16 1 368 1
2014-10-24 01:00:05.000 0.000 UDP 1.202.0.110:1900 -> 217.10.68.147:80 ...... 0 1 320 1
2014-10-24 01:00:06.000 0.000 UDP 1.202.79.221:1900 -> 217.10.68.147:80 ...... 0 1 339 1
2014-10-24 01:00:06.000 0.000 UDP 217.10.68.147:80 -> 1.202.64.217:1900 ...... 0 1 122 1
2014-10-24 01:00:08.000 0.000 UDP 1.202.102.67:1900 -> 217.10.68.147:80 ...... 0 1 330 1
2014-10-24 01:00:10.000 0.000 UDP 1.202.63.82:1900 -> 217.10.68.147:80 ...... 0 1 356 1
2014-10-24 00:59:57.000 13.000 UDP 1.202.108.13:1900 -> 217.10.68.147:80 ...... 16 2 698 1
2014-10-24 01:00:14.000 0.000 UDP 1.202.111.254:1900 -> 217.10.68.147:80 ...... 0 1 344 1
2014-10-24 01:00:16.000 0.000 UDP 1.202.72.95:1900 -> 217.10.68.147:80 ...... 0 1 356 1
2014-10-24 01:00:16.000 0.000 UDP 1.202.85.179:1900 -> 217.10.68.147:80 ...... 0 1 348 1
2014-10-24 01:00:19.000 0.000 UDP 1.202.108.104:1900 -> 217.10.68.147:80 ...... 16 1 364 1
2014-10-24 01:00:18.000 0.000 UDP 1.202.103.145:1900 -> 217.10.68.147:80 ...... 16 1 332 1
2014-10-24 01:00:19.000 0.000 UDP 217.10.68.147:80 -> 219.237.160.64:1900 ...... 0 1 122 1
2014-10-24 01:00:18.000 0.000 UDP 1.202.71.7:1900 -> 217.10.68.147:80 ...... 16 1 356 1
2014-10-24 01:00:04.000 18.000 UDP 1.202.67.214:1900 -> 217.10.68.147:80 ...... 16 2 688 1
2014-10-24 01:00:21.000 0.000 UDP 1.202.97.48:1900 -> 217.10.68.147:80 ...... 16 1 332 1
2014-10-24 01:00:21.000 0.000 UDP 1.202.102.121:1900 -> 217.10.68.147:80 ...... 0 1 330 1
2014-10-24 01:00:23.000 0.000 UDP 1.202.40.105:1900 -> 217.10.68.147:80 ...... 16 1 368 1
2014-10-24 00:59:58.000 28.000 UDP 1.202.78.41:1900 -> 217.10.68.147:80 ...... 1 2 678 1
2014-10-24 01:00:24.000 0.000 UDP 1.202.11.199:1900 -> 217.10.68.147:80 ...... 16 1 364 1
2014-10-24 01:00:02.000 22.000 UDP 1.202.79.249:1900 -> 217.10.68.147:80 ...... 39 2 678 1
2014-10-24 01:00:26.000 0.000 UDP 1.202.1.238:1900 -> 217.10.68.147:80 ...... 16 1 348 1
2014-10-24 01:00:27.000 0.000 UDP 1.202.101.71:1900 -> 217.10.68.147:80 ...... 16 1 284 1
2014-10-24 01:00:29.000 0.000 UDP 217.10.68.147:80 -> 219.236.200.111:1900 ...... 0 1 122 1
2014-10-24 01:00:32.000 0.000 UDP 1.202.61.158:1900 -> 217.10.68.147:80 ...... 0 1 340 1
2014-10-24 01:00:32.000 0.000 UDP 1.202.0.21:1900 -> 217.10.68.147:80 ...... 16 1 332 1
2014-10-24 01:00:35.000 0.000 UDP 1.202.79.19:1900 -> 217.10.68.147:80 ...... 0 1 310 1
2014-10-24 01:00:35.000 0.000 UDP 1.202.60.49:1900 -> 217.10.68.147:80 ...... 16 1 330 1
2014-10-24 01:00:36.000 0.000 UDP 1.202.55.12:1900 -> 217.10.68.147:80 ...... 0 1 344 1
2014-10-24 01:00:38.000 0.000 UDP 1.202.6.117:1900 -> 217.10.68.147:80 ...... 0 1 364 1
2014-10-24 01:00:38.000 0.000 UDP 1.202.75.54:1900 -> 217.10.68.147:80 ...... 0 1 335 1
2014-10-24 01:00:41.000 0.000 UDP 1.202.103.50:1900 -> 217.10.68.147:80 ...... 0 1 284 1
2014-10-24 01:00:48.000 0.000 UDP 1.202.64.108:1900 -> 217.10.68.147:80 ...... 16 1 330 1
2014-10-24 01:00:47.000 0.000 UDP 1.202.80.153:1900 -> 217.10.68.147:80 ...... 16 1 356 1
2014-10-24 01:00:32.000 18.000 UDP 1.202.72.75:1900 -> 217.10.68.147:80 ...... 16 2 678 1
2014-10-24 01:00:49.000 0.000 UDP 1.202.72.95:1900 -> 217.10.68.147:80 ...... 0 1 330 1
2014-10-24 01:00:49.000 0.000 UDP 1.202.67.39:1900 -> 217.10.68.147:80 ...... 0 1 310 1
2014-10-24 01:00:50.000 0.000 UDP 1.202.77.219:1900 -> 217.10.68.147:80 ...... 0 1 356 1
2014-10-24 01:00:52.000 0.000 UDP 217.10.68.147:80 -> 1.202.41.157:1900 ...... 0 1 122 1
2014-10-24 01:00:53.000 0.000 UDP 1.202.52.40:1900 -> 217.10.68.147:80 ...... 0 1 337 1
2014-10-24 01:00:27.000 27.000 UDP 1.202.81.203:1900 -> 217.10.68.147:80 ...... 16 2 640 1
2014-10-24 01:00:54.000 0.000 UDP 1.202.76.39:1900 -> 217.10.68.147:80 ...... 16 1 356 1
2014-10-24 01:00:55.000 0.000 UDP 1.202.97.48:1900 -> 217.10.68.147:80 ...... 16 1 348 1
On Oct 24, 2014, at 6:03 PM, Dominik Bay <db at rrbone.net<mailto:db at rrbone.net>> wrote:
----------- nsp-security Confidential --------
On 10/24/2014 11:54 AM, 宫一鸣 wrote:
Besides AS, got any target ip or netblocks?
You are right, I missed that in my first mail:
82.116.96.0/19
217.10.64.0/20
217.116.112.0/20
Those are the networks which have been attacked. At the moment there is
little/no attack traffic.
Kind regards,
Dominik
--
rrbone UG (haftungsbeschraenkt) - Leibnizstr. 8a - 44147 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net<mailto:nsp-security at puck.nether.net>
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
--
Regards
宫一鸣
网络安全研究院
奇虎360
电话:56821858
邮件:gongyiming at 360.cn<mailto:gongyiming at 360.cn>
网站:www.360.cn
地址:北京市朝阳区酒仙桥路6号2号楼B1-7F
邮编:100025
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spike.png
Type: image/png
Size: 36876 bytes
Desc: spike.png
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20141024/3cfca92d/attachment-0001.png>
More information about the nsp-security
mailing list