[botnets] Fwd from NANOG: Reflection Attack- 69.80.239.50

[Peter Dambier]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
Well, I did a grep through my log but
I did not find them.

Kind regards
Peter and Karin Dambier

 Original Message 
Return-Path: <[EMAIL PROTECTED]>
From: mack <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tue, 20 Nov 2007 11:02:34 -0600
Subject: Reflection Attack- 69.80.239.50
Thread-Topic: Reflection Attack- 69.80.239.50
Thread-Index: AcgrMP/hT1m/PgWJT6Wp6CkOGviIjAAZfl4w
Message-ID: <[EMAIL PROTECTED]>

I apologize if this is off topic.
Currently the IP 69.80.239.50 is the victim of a reflection attack.

Many operators may be seeing what appears to be a syn attack generated by this 
IP.
These are actually spoofed packet hitting an open port designed to generate a 
syn-ack packet at the victim server.

This attack was originally a standard syn attack which has lasted since the 
13th.
On Saturday the 17th we moved the victim server to a new ip behind a firewall.

Yesterday, Monday the 19th at approximately 3PM the attack changed to a 
reflection attack of greatly increased magnitude.
We have rate limited syn-ack packets hitting the firewall to reduce backscatter 
of reset packets.

Anyone seeing a stream of packets that appears to be improperly sourced from 
69.80.239.50 is asked to contact
us if they believe they can help us track back the perpetrators.

Any assistance that can be rendered is appreciated.
This includes direction to another forum that may be able to offer assistance.

As there are approximately 102,000 reflectors being used please do not contact 
us
unless you can help us trace this back or provide substantial assistance.
We are currently overwhelmed by abuse complaints this has generated.

The attack has now doubled in size and may be considerably more than 102k 
reflectors.


LR Mack McBride
Network Administrator
Alpha Red, Inc.

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/

___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

[botnets] LEO on list

[J. Oquendo]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--Any LEO within NY/NJ/CT please shoot me an email offlist or someone
onlist with a trustworthy contact please get in touch. TIA



J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

"I hear much of people's calling out to punish the
guilty, but very few are concerned to clear the
innocent." Daniel Defoe

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets