Educause Security Discussion mailing list archives

Re: MSUDenver seeing potential bot-net DDOS

From: Joseph Tam <tam () MATH UBC CA>
Date: Wed, 3 Apr 2019 15:56:14 -0700

On Wed, 3 Apr 2019, Hart, Michael wrote:

Our institution is being hammered pretty hard right now from a large
number of source IPs.  We're working with our ISP to sinkhole as many
of the sources as possible, but our tools are pretty hamstrung from the
flood of traffic until the ISP can stop if from hitting our network.

We're in the midst of response, so I don't have a curated list with
reputations or heavy analysis, but the heavy hitters are coming from
the following list of IPs:


I see IPs from your list, but nothing I would characterize as DDoS.

Most recent from 193.106.29.106 -- looks like RDP scans.  Maybe they
brute force as soon as as it hits an open port.

        ----------------------------------------------------------------------------------
        Date   Time      #x        Source IP,port -> Dest IP,port          proto len flags
        ----------------------------------------------------------------------------------
        Apr  3 02:57:03  1x  193.106.29.106,45027 -> xxxxxxxxx.2,3399      tcp 40 -S
        Apr  3 03:12:54  1x  193.106.29.106,45027 -> xxxxxxxxx.1,3399      tcp 40 -S
        Apr  3 03:21:38  1x  193.106.29.106,45027 -> xxxxxxxxx.1,3390      tcp 40 -S
        Apr  3 03:30:25  1x  193.106.29.106,45027 -> xxxxxxxxx.61,3399     tcp 40 -S
        Apr  3 03:39:09  1x  193.106.29.106,45027 -> xxxxxxxxx.23,3399     tcp 40 -S
        [... 41 lines removed ...]
        Apr  3 13:22:56  1x  193.106.29.106,45027 -> xxxxxxxxx.73,3393     tcp 40 -S
        Apr  3 13:24:07  1x  193.106.29.106,45027 -> xxxxxxxxx.65,3400     tcp 40 -S
        Apr  3 13:59:06  1x  193.106.29.106,45027 -> xxxxxxxxx.1,3395      tcp 40 -S
        Apr  3 15:29:50  1x  193.106.29.106,45027 -> xxxxxxxxx.73,3392     tcp 40 -S
        Apr  3 15:38:15  1x  193.106.29.106,45027 -> xxxxxxxxx.3,3393      tcp 40 -S

This IP been doing it since at before Nov/2018.

92.53.65.2,3 last seen Mar 23 13:38:37-Mar 28 21:24:10, similar ports.
185.200.118.83 scanning for proxy ports before Nov 18 10:11:33 until very recently.
190.104.198.230 2 probes for telnet, Mar 22.
190.145.99.75 isolated probes of http, telnet ports from Jan 20 19:40:08-Apr 2 00:17:52.

Joseph Tam <tam () math ubc ca>

Current thread:

MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
  - Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
  - Re: MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- <Possible follow-ups>
- Re: MSUDenver seeing potential bot-net DDOS Joseph Tam (Apr 03)