[nsp-sec] DoS attack to 164.67.228.152
Damian Menscher
damian at google.com
Tue Jul 28 11:37:10 EDT 2020
That sounds like a spoofed synflood from a single source, not a serious
botnet attack (which would have been 1000 times larger). Best approach is
to ask your upstream to determine which link the packets ingressed, and
chase it back that way. Once the source network has been identified, their
upstream should apply filters to prevent their customer from sending more
spoofed packets.
Worth fixing any gear that falls over under such a minor attack... in
general you should avoid stateful devices at the network level.
Damian
On Tue, Jul 28, 2020 at 8:28 AM JASON CHAMBERS <jchambers at ucla.edu> wrote:
> ----------- nsp-security Confidential --------
>
> Hello all,
>
>
> Over the weekend we experienced a brief DoS attack to our main site
> www.ucla.edu (164.67.228.152). It lasted a few hours and peaked about 60
> Mbps / 150k pps, during which it overflowed the state table in the ASA
> fronting that site. Small event by NSP measurements but maybe of interest
> to some.
>
>
> Rough start/stop times (UTC):
>
> 2020-07-26 22:00 to 2020-07-27 01:30
>
>
> Attack signature:
>
> SYN Flood, 52 byte packets. ~260k unique Source IPs.
>
>
> If you turn up anything mildly interesting we'd enjoy hearing about it.
>
>
> Thanks,
>
> --Jason
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list