Educause Security Discussion mailing list archives
Re: MSUDenver seeing potential bot-net DDOS
From: Joseph Tam <tam () MATH UBC CA>
Date: Wed, 3 Apr 2019 15:56:14 -0700
On Wed, 3 Apr 2019, Hart, Michael wrote:
Our institution is being hammered pretty hard right now from a large number of source IPs. We're working with our ISP to sinkhole as many of the sources as possible, but our tools are pretty hamstrung from the flood of traffic until the ISP can stop if from hitting our network. We're in the midst of response, so I don't have a curated list with reputations or heavy analysis, but the heavy hitters are coming from the following list of IPs:
I see IPs from your list, but nothing I would characterize as DDoS. Most recent from 193.106.29.106 -- looks like RDP scans. Maybe they brute force as soon as as it hits an open port. ---------------------------------------------------------------------------------- Date Time #x Source IP,port -> Dest IP,port proto len flags ---------------------------------------------------------------------------------- Apr 3 02:57:03 1x 193.106.29.106,45027 -> xxxxxxxxx.2,3399 tcp 40 -S Apr 3 03:12:54 1x 193.106.29.106,45027 -> xxxxxxxxx.1,3399 tcp 40 -S Apr 3 03:21:38 1x 193.106.29.106,45027 -> xxxxxxxxx.1,3390 tcp 40 -S Apr 3 03:30:25 1x 193.106.29.106,45027 -> xxxxxxxxx.61,3399 tcp 40 -S Apr 3 03:39:09 1x 193.106.29.106,45027 -> xxxxxxxxx.23,3399 tcp 40 -S [... 41 lines removed ...] Apr 3 13:22:56 1x 193.106.29.106,45027 -> xxxxxxxxx.73,3393 tcp 40 -S Apr 3 13:24:07 1x 193.106.29.106,45027 -> xxxxxxxxx.65,3400 tcp 40 -S Apr 3 13:59:06 1x 193.106.29.106,45027 -> xxxxxxxxx.1,3395 tcp 40 -S Apr 3 15:29:50 1x 193.106.29.106,45027 -> xxxxxxxxx.73,3392 tcp 40 -S Apr 3 15:38:15 1x 193.106.29.106,45027 -> xxxxxxxxx.3,3393 tcp 40 -S This IP been doing it since at before Nov/2018. 92.53.65.2,3 last seen Mar 23 13:38:37-Mar 28 21:24:10, similar ports. 185.200.118.83 scanning for proxy ports before Nov 18 10:11:33 until very recently. 190.104.198.230 2 probes for telnet, Mar 22. 190.145.99.75 isolated probes of http, telnet ports from Jan 20 19:40:08-Apr 2 00:17:52. Joseph Tam <tam () math ubc ca>
Current thread:
- MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- <Possible follow-ups>
- Re: MSUDenver seeing potential bot-net DDOS Joseph Tam (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)