[nsp-sec] 26, 468 attacking hosts in dst udp/80 DDoS against chiark.greenend.org.uk (212.13.197.229)

[James A. T. Rice]

Hi Folks,

This didn't cause us any problems, so please don't respond by blackholing 
the destination or anything like that.

A few hours ago on 2014-09-28, at 1856UTC (below dates/times are in BST / 
UTC+1), there was a just over 2Gbps DDoS of udp dst port 80 against 
chiark.greenend.org.uk (famous for PuTTY etc), if you'd like to check for 
flows across your network, please use the nfsen filter:
"dst host 212.13.197.229 and dst port 80 and proto udp"

The sources do not seem to be spoofed, so if you're in the following list 
of ASns (sorted by amount of traffic received), please have a look at the 
attached file list of sources by IP address.

As well as cleaning up any attacking hosts on your network, any insight 
into the command and and control channels / what botnet / type of 
infection this is would be appreciated.

Thanks
James


AS4837	2014-09-28	19:56:22.352	26.4G
AS6503	2014-09-28	19:56:21.727	25.7G
AS13127	2014-09-28	19:56:21.881	8.1G
AS4134	2014-09-28	19:56:21.936	3.2G
AS4808	2014-09-28	19:56:25.461	3.0G
AS11426	2014-09-28	19:56:28.108	2.2G
AS4780	2014-09-28	19:56:28.411	1.9G
AS28573	2014-09-28	19:56:23.591	1.4G
AS10796	2014-09-28	19:56:22.352	1.1G
AS701	2014-09-28	19:56:23.683	965.1M
AS22773	2014-09-28	19:56:21.996	815.6M
AS27745	2014-09-28	19:56:23.402	670.1M
AS4713	2014-09-28	19:56:22.037	565.1M
AS11427	2014-09-28	19:56:22.940	558.1M
AS18566	2014-09-28	19:56:26.154	508.1M
AS4788	2014-09-28	19:56:26.561	496.2M
AS42610	2014-09-28	19:56:27.802	481.4M
AS11398	2014-09-28	19:56:29.849	429.8M
AS2518	2014-09-28	19:56:21.838	346.7M
AS841	2014-09-28	19:56:27.354	306.2M
AS2119	2014-09-28	19:56:25.540	301.8M
AS852	2014-09-28	19:56:27.002	286.7M
AS4721	2014-09-28	19:56:28.024	261.8M
AS12741	2014-09-28	19:56:26.195	224.7M
AS8151	2014-09-28	19:56:27.857	222.8M
AS11351	2014-09-28	19:56:29.965	200.7M
AS15808	2014-09-28	19:56:27.672	188.9M
AS21826	2014-09-28	19:56:21.727	175.4M
AS45365	2014-09-28	19:56:28.149	172.5M
AS17839	2014-09-28	19:56:27.947	165.6M
AS27953	2014-09-28	19:56:22.991	156.8M
AS20960	2014-09-28	19:56:28.481	156.5M
AS9689	2014-09-28	19:56:28.603	130.7M
AS28908	2014-09-28	19:56:28.683	127.4M
AS42362	2014-09-28	19:56:26.195	126.4M
AS8866	2014-09-28	19:56:27.014	118.9M
AS9981	2014-09-28	19:56:28.441	117.0M
AS2379	2014-09-28	19:56:23.902	112.6M
AS9569	2014-09-28	19:56:23.401	105.3M
AS9762	2014-09-28	19:56:23.437	104.0M
AS1680	2014-09-28	19:56:27.761	102.9M
AS9770	2014-09-28	19:56:30.001	101.0M
AS18126	2014-09-28	19:56:25.457	99.9M
AS17809	2014-09-28	19:56:28.058	73.1M
AS4804	2014-09-28	19:56:26.985	68.7M
AS28719	2014-09-28	19:56:28.017	67.7M
AS22561	2014-09-28	19:56:26.920	62.3M
AS9443	2014-09-28	19:56:26.942	61.9M
AS9676	2014-09-28	19:56:27.013	59.4M
AS12332	2014-09-28	19:56:28.278	58.3M
AS39045	2014-09-28	19:56:23.194	57.8M
AS18313	2014-09-28	19:56:28.018	57.8M
AS7623	2014-09-28	19:56:27.768	57.6M
AS45510	2014-09-28	19:56:28.205	57.2M
AS22995	2014-09-28	19:56:22.957	53.1M
AS38669	2014-09-28	19:56:27.980	51.4M
AS21804	2014-09-28	19:56:27.607	47.5M
AS38091	2014-09-28	19:56:27.980	46.9M
AS5466	2014-09-28	19:56:26.249	46.4M
AS10175	2014-09-28	19:56:27.765	43.8M
AS6730	2014-09-28	19:56:26.508	42.4M
AS4922	2014-09-28	19:56:27.574	41.8M
AS7690	2014-09-28	19:56:29.968	41.4M
AS10834	2014-09-28	19:56:23.941	41.4M
AS8371	2014-09-28	19:56:27.038	38.8M
AS13118	2014-09-28	19:56:28.603	35.9M
AS2497	2014-09-28	19:56:26.943	34.5M
AS17974	2014-09-28	19:56:27.573	33.9M
AS24863	2014-09-28	19:56:27.826	33.0M
AS10164	2014-09-28	19:56:27.769	32.4M
AS17676	2014-09-28	19:56:26.495	32.0M
AS47187	2014-09-28	19:56:23.866	31.2M
AS24321	2014-09-28	19:56:24.232	30.6M
AS17849	2014-09-28	19:56:28.302	26.7M
AS43801	2014-09-28	19:56:23.894	26.5M
AS6855	2014-09-28	19:56:26.878	26.2M
AS45411	2014-09-28	19:56:25.500	25.4M
AS18168	2014-09-28	19:56:25.993	23.7M
AS12705	2014-09-28	19:56:28.381	22.4M
AS6871	2014-09-28	19:56:23.308	21.5M
AS9797	2014-09-28	19:56:28.196	21.0M
AS17573	2014-09-28	19:56:27.764	20.8M
AS14754	2014-09-28	19:56:23.217	20.7M
AS7524	2014-09-28	19:56:30.042	20.2M
AS5089	2014-09-28	19:56:21.845	20.0M
AS51469	2014-09-28	19:56:27.578	19.8M
AS7600	2014-09-28	19:56:22.134	19.6M
AS4538	2014-09-28	19:56:29.970	19.5M
AS29695	2014-09-28	19:56:27.611	18.6M
AS24916	2014-09-28	19:56:29.917	18.1M
AS47398	2014-09-28	19:56:27.052	18.1M
AS25490	2014-09-28	19:56:25.985	17.3M
AS3301	2014-09-28	19:56:23.002	16.4M
AS15600	2014-09-28	19:56:26.600	15.9M
AS6471	2014-09-28	19:56:26.322	15.8M
AS7562	2014-09-28	19:56:27.765	15.8M
AS54759	2014-09-28	19:56:29.913	15.6M
AS45374	2014-09-28	19:56:27.761	14.9M
AS48431	2014-09-28	19:56:27.859	14.5M
AS38951	2014-09-28	19:56:26.967	14.4M
AS34245	2014-09-28	19:56:27.040	12.7M
AS51074	2014-09-28	19:56:24.286	12.5M
AS19114	2014-09-28	19:56:22.528	12.4M
AS45224	2014-09-28	19:56:28.445	12.2M
AS56833	2014-09-28	19:56:27.622	12.1M
AS29614	2014-09-28	19:56:27.851	11.9M
AS58127	2014-09-28	19:56:27.572	11.5M
AS35141	2014-09-28	19:56:28.453	11.5M
AS52561	2014-09-28	19:56:26.014	11.5M
AS24626	2014-09-28	19:56:23.186	11.5M
AS27775	2014-09-28	19:56:25.884	11.1M
AS12683	2014-09-28	19:56:26.105	10.7M
AS10697	2014-09-28	19:56:22.879	9.8M
AS27409	2014-09-28	19:56:27.732	8.5M
AS41822	2014-09-28	19:56:27.102	8.4M
AS23889	2014-09-28	19:56:28.531	8.3M
AS3239	2014-09-28	19:56:28.202	8.0M
AS29032	2014-09-28	19:56:27.675	8.0M
AS2516	2014-09-28	19:56:28.408	7.8M
AS12494	2014-09-28	19:56:26.882	7.7M
AS4766	2014-09-28	19:56:29.693	7.7M
AS3582	2014-09-28	19:56:27.680	7.4M
AS2529	2014-09-28	19:56:29.667	7.4M
AS17955	2014-09-28	19:56:24.252	7.3M
AS25187	2014-09-28	19:56:27.806	7.1M
AS1785	2014-09-28	19:56:26.791	7.0M
AS35891	2014-09-28	19:56:26.887	7.0M
AS36947	2014-09-28	19:56:27.659	6.9M
AS10001	2014-09-28	19:56:27.024	6.4M
AS45528	2014-09-28	19:56:26.991	6.3M
AS37109	2014-09-28	19:56:27.947	6.2M
AS43939	2014-09-28	19:56:27.138	6.0M
AS11172	2014-09-28	19:56:26.248	5.2M
AS22927	2014-09-28	19:56:25.798	5.0M
AS55699	2014-09-28	19:56:27.714	5.0M
AS39824	2014-09-28	19:56:23.181	5.0M
AS2519	2014-09-28	19:56:27.096	4.9M
AS37006	2014-09-28	19:56:28.024	4.8M
AS56017	2014-09-28	19:56:29.888	4.8M
AS35518	2014-09-28	19:56:27.566	4.7M
AS1044	2014-09-28	19:56:27.762	4.5M
AS29465	2014-09-28	19:56:31.781	4.3M
AS137	2014-09-28	19:56:27.037	4.1M
AS6147	2014-09-28	19:56:25.347	4.1M
AS0	2014-09-28	19:56:27.093	3.9M
AS15468	2014-09-28	19:56:27.140	3.9M
AS38809	2014-09-28	19:56:27.003	3.9M
AS9354	2014-09-28	19:56:26.049	3.8M
AS33934	2014-09-28	19:56:26.197	3.8M
AS2828	2014-09-28	19:56:27.855	3.7M
AS8681	2014-09-28	19:56:23.064	3.7M
AS27828	2014-09-28	19:56:23.200	3.6M
AS42431	2014-09-28	19:56:29.776	3.6M
AS209	2014-09-28	19:56:30.009	3.5M
AS13489	2014-09-28	19:56:23.410	3.5M
AS51408	2014-09-28	19:56:27.035	3.5M
AS61382	2014-09-28	19:56:26.602	3.5M
AS27792	2014-09-28	19:56:26.010	3.5M
AS160	2014-09-28	19:56:28.533	3.4M
AS36917	2014-09-28	19:56:27.897	3.3M
AS45536	2014-09-28	19:56:27.246	3.3M
AS47262	2014-09-28	19:56:27.807	3.3M
AS24889	2014-09-28	19:56:27.128	3.3M
AS577	2014-09-28	19:56:27.730	3.3M
AS12414	2014-09-28	19:56:27.678	3.2M
AS36908	2014-09-28	19:56:27.716	3.2M
AS12513	2014-09-28	19:56:29.969	3.1M
AS7018	2014-09-28	19:56:30.064	3.1M
AS10226	2014-09-28	19:56:27.929	3.1M
AS6739	2014-09-28	19:56:24.386	3.0M
AS5669	2014-09-28	19:56:26.564	3.0M
AS8591	2014-09-28	19:56:22.091	3.0M
AS1385	2014-09-28	19:56:27.128	2.9M
AS31094	2014-09-28	19:56:28.180	2.9M
AS9325	2014-09-28	19:56:25.714	2.9M
AS9942	2014-09-28	19:56:25.476	2.9M
AS3243	2014-09-28	19:56:29.924	2.9M
AS16058	2014-09-28	19:56:28.681	2.8M
AS50868	2014-09-28	19:56:26.992	2.8M
AS34875	2014-09-28	19:56:28.129	2.8M
AS47169	2014-09-28	19:56:27.045	2.6M
AS45334	2014-09-28	19:56:26.583	2.6M
AS44814	2014-09-28	19:56:26.944	2.6M
AS30783	2014-09-28	19:56:27.675	2.5M
AS59325	2014-09-28	19:56:27.262	2.4M
AS2200	2014-09-28	19:56:28.091	2.4M
AS548	2014-09-28	19:56:26.656	2.3M
AS3316	2014-09-28	19:56:27.272	2.3M
AS38457	2014-09-28	19:56:29.753	2.2M
AS17665	2014-09-28	19:56:28.027	2.2M
AS33763	2014-09-28	19:56:27.926	2.1M
AS38571	2014-09-28	19:56:30.006	1.9M
AS33762	2014-09-28	19:56:29.885	1.9M
AS9381	2014-09-28	19:56:26.446	1.9M
AS9394	2014-09-28	19:56:27.896	1.8M
AS13999	2014-09-28	19:56:27.188	1.5M
AS45048	2014-09-28	19:56:30.005	1.5M
AS20619	2014-09-28	19:56:28.396	1.4M
AS42232	2014-09-28	19:56:27.233	1.3M
AS1679	2014-09-28	19:56:27.248	1.1M
AS1251	2014-09-28	19:56:27.979	1.1M
AS45714	2014-09-28	19:56:28.213	1.0M
AS23679	2014-09-28	19:56:24.233	1.0M
AS1363	2014-09-28	19:56:27.680	969084
AS8820	2014-09-28	19:56:31.085	918008
AS18051	2014-09-28	19:56:27.270	916218
AS668	2014-09-28	19:56:27.076	899762
AS10068	2014-09-28	19:56:30.068	895656
AS20836	2014-09-28	19:56:29.833	878148
AS12618	2014-09-28	19:56:28.335	873072
AS24550	2014-09-28	19:56:27.860	862696
AS58447	2014-09-28	19:56:23.997	852610
AS58945	2014-09-28	19:56:26.506	820353
AS13227	2014-09-28	19:56:27.666	697400
AS58303	2014-09-28	19:56:27.568	641244
AS24193	2014-09-28	19:56:27.567	532980
AS9583	2014-09-28	19:56:27.773	528229
AS17483	2014-09-28	19:56:29.773	501670
AS23682	2014-09-28	19:56:29.938	495768
AS1318	2014-09-28	19:56:27.138	492412
AS58912	2014-09-28	19:56:27.252	478646
AS49759	2014-09-28	19:56:27.823	476544
AS3253	2014-09-28	19:56:27.075	463354
AS18002	2014-09-28	19:56:31.339	441738
AS58405	2014-09-28	19:56:25.531	438550
AS1700	2014-09-28	19:56:26.426	421263
AS35310	2014-09-28	19:56:30.066	421008
AS11081	2014-09-28	19:56:23.667	412012
AS55879	2014-09-28	19:56:29.830	403318
AS45415	2014-09-28	19:56:43.710	382194
AS876	2014-09-28	19:56:34.930	276913
AS12874	2014-09-28	19:56:27.066	238784
AS45166	2014-09-28	19:56:29.653	156774
AS50316	2014-09-28	19:56:29.828	119350
AS27947	2014-09-28	19:56:26.646	70723
AS10929	2014-09-28	19:56:27.579	69700
AS24940	2014-09-28	19:56:27.245	43361
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2014-09-29-chiark-dos.txt.gz
Type: application/octet-stream
Size: 492665 bytes
Desc: 
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20140929/1b580719/attachment-0001.obj>