[nsp-sec] Large mirai-variant - null routing and cleanup requested
Smith, Donald
Donald.Smith at CenturyLink.com
Wed Dec 6 11:35:09 EST 2017
My netflow report for the scanning of just those two ports, showed over 400K unique IPs (based just on the dst ports and removing src 80 and 443 to remove FPs).
We did a DBHF, which in theory would still allow one way/inbound (udp) type communication but this is TCP.
Is anyone doing SBHF and DBHF or ACLs to drop all traffic.
Thanks to Mike for getting the word out, and proactively going after this beast.
If anyone did anything OTHER that DBHF I would be interested to know what you did and why , unicast would be fine.
if (initial_ttl!=255) then (rfc5082_compliant==0)
Donald.Smith at centurylink.com
________________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Bruns, Daniel [DBruns at Cogentco.com]
Sent: Wednesday, December 06, 2017 4:58 AM
To: RuthAnne Bevier; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Large mirai-variant - null routing and cleanup requested
----------- nsp-security Confidential --------
Null routed at AS174.
-----Original Message-----
From: nsp-security [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of RuthAnne Bevier
Sent: Tuesday, December 05, 2017 8:14 PM
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Large mirai-variant - null routing and cleanup requested
----------- nsp-security Confidential --------
On Tue, Dec 05, 2017 at 05:06:20PM -0800, Barry Greene wrote:
> > On Dec 5, 2017, at 4:52 PM, Benjamin, Mike <Mike.Benjamin at centurylink.com> wrote:
> >
> > Due to the swift nature this botnet was built and its large size we've decided to pre-emptively null route the C2 hosted at 95.211.123[.]69. This null route is active in AS3356, 209 and 3549.
>
> If you can, please Ack to the list when you Null route.
Null routed at AS31.
--RuthAnne
--
RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
626 395 2671
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
More information about the nsp-security
mailing list