[nsp-sec] Recent 20 Gbps microburst DoS attack
J. Chambers
jchambers at ucla.edu
Fri Dec 22 11:48:14 EST 2017
On 12/22/17 01:56, Damian Menscher wrote:
> You didn't mention the source port, but I'm fairly certain this was a
> botnet attack, not amplification. For evidence, I'll note that
> competent amplification would typically result in full-frame packets,
> but your packets were all 1365 octets, which is a leet number when you
> subtract off the 20-byte IP header and the 8-byte UDP header. ;)
>
That's clever; funny leet. The source port was different for each
source IP and only a few were reused. I've attached the full set of
flows gzipped if your interested.
I probably wasn't clear enough on the attack type and times:
The DoS was UDP Port 80 targeting our main website www.ucla.edu
(164.67.228.152), technically it hit the load-balancer VM and caused it
to crash as well. It started at 2017-12-18 23:49 UTC and ended about
2017-12-19 00:56. The peak of the attack was from 23:49 to 23:56.
--Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UDP_DoS_2017-12-18T23_full_flows.txt.gz
Type: application/gzip
Size: 202987 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20171222/2a3ce199/attachment.gz>
More information about the nsp-security
mailing list