Romania – DDoS botnets trash can

Posted by EvolutionCrazy on Dec 7, 2012 in networking |

As I’m tired of contacting useless abuse desks (rackspace is a perfect example of what I consider a useless abuse desk, If you ever got in touch with them I’m sure you know what I mean) I’ll start collecting here offending IPs.

Latest attack went beyond what’s “reasonable” as it exceeded by large the 1 million packet per second rate threshold.

So here comes the first batch of *possibly infected* hosts…
I’m sure this list will be useful for both building a banlist or to expand your botnet with vulnerable hosts…

52 hosts accomplished a short 1M+ pps attack: 226 milions total ddos packets processed (dropped) by the firewall totalling 6.5 gigabyte of traffic

Times in the reported firewall log lines are CET

Dec  6 23:24:47 SRC=81.177.157.86 LEN=29 TOS=0x10 PREC=0x00 TTL=57 ID=2857 PROTO=UDP SPT=54267 DPT=10363 LEN=9
Dec  6 23:24:47 SRC=222.35.137.36 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=54688 DPT=49170 LEN=9
Dec  6 23:24:47 SRC=118.175.28.88 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=45343 DPT=45618 LEN=9
Dec  6 23:24:47 SRC=145.108.240.173 LEN=29 TOS=0x10 PREC=0x00 TTL=55 ID=20834 PROTO=UDP SPT=64284 DPT=45097 LEN=9
Dec  6 23:24:47 SRC=156.54.108.45 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=43199 DPT=47447 LEN=9
Dec  6 23:24:47 SRC=184.107.212.130 LEN=29 TOS=0x10 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=35464 DPT=41601 LEN=9
Dec  6 23:24:47 SRC=58.17.30.43 LEN=29 TOS=0x10 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=41127 DPT=532 LEN=9
Dec  6 23:24:47 SRC=184.107.176.2 LEN=29 TOS=0x10 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=35397 DPT=6135 LEN=9
Dec  6 23:24:47 SRC=173.204.47.90 LEN=29 TOS=0x10 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=57234 DPT=15824 LEN=9
Dec  6 23:24:47 SRC=74.86.116.114 LEN=29 TOS=0x10 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=54792 DPT=30393 LEN=9
Dec  6 23:24:47 SRC=195.138.198.208 LEN=29 TOS=0x10 PREC=0x00 TTL=52 ID=18935 PROTO=UDP SPT=58848 DPT=6021 LEN=9
Dec  6 23:24:47 SRC=194.149.154.11 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=51991 DPT=60182 LEN=9
Dec  6 23:24:47 SRC=61.175.253.59 LEN=29 TOS=0x10 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=32848 DPT=14437 LEN=9
Dec  6 23:24:47 SRC=82.135.194.224 LEN=29 TOS=0x10 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=50077 DPT=15957 LEN=9
Dec  6 23:24:47 SRC=217.12.215.215 LEN=29 TOS=0x10 PREC=0x00 TTL=55 ID=47885 PROTO=UDP SPT=6602 DPT=21368 LEN=9
Dec  6 23:24:47 SRC=218.29.222.4 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=41149 DPT=36208 LEN=9
Dec  6 23:24:47 SRC=139.82.24.179 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=49876 DPT=40883 LEN=9
Dec  6 23:24:47 SRC=184.82.245.44 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=50100 DPT=57737 LEN=9
Dec  6 23:24:47 SRC=66.132.47.3 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=44871 DPT=1331 LEN=9
Dec  6 23:24:47 SRC=107.21.202.117 LEN=29 TOS=0x10 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=56779 DPT=16772 LEN=9
Dec  6 23:24:47 SRC=93.88.6.162 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=39608 DPT=39890 LEN=9
Dec  6 23:24:47 SRC=203.158.223.152 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=60325 DPT=8548 LEN=9
Dec  6 23:24:47 SRC=198.101.252.228 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=39016 DPT=1764 LEN=9
Dec  6 23:24:47 SRC=194.44.123.92 LEN=29 TOS=0x10 PREC=0x00 TTL=58 ID=51376 PROTO=UDP SPT=50396 DPT=49700 LEN=9
Dec  6 23:24:47 SRC=114.34.31.140 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=41229 DPT=7545 LEN=9
Dec  6 23:24:47 SRC=131.247.120.135 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=39882 PROTO=UDP SPT=59865 DPT=39148 LEN=9
Dec  6 23:24:47 SRC=82.144.222.66 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=55678 PROTO=UDP SPT=63341 DPT=18336 LEN=9
Dec  6 23:24:47 SRC=89.237.37.254 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=44145 PROTO=UDP SPT=55354 DPT=14988 LEN=9
Dec  6 23:24:47 SRC=80.188.127.134 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 PROTO=UDP SPT=52559 DPT=39412 LEN=9
Dec  6 23:24:47 SRC=183.62.138.55 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=55382 DPT=11511 LEN=9
Dec  6 23:24:47 SRC=63.247.82.100 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=41471 DPT=58283 LEN=9
Dec  6 23:24:47 SRC=83.172.21.22 LEN=29 TOS=0x10 PREC=0x00 TTL=52 ID=35703 PROTO=UDP SPT=26446 DPT=43949 LEN=9
Dec  6 23:24:47 SRC=203.156.196.12 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=34034 DPT=36717 LEN=9
Dec  6 23:24:47 SRC=195.22.232.130 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=40849 PROTO=UDP SPT=60392 DPT=46348 LEN=9
Dec  6 23:24:47 SRC=95.131.69.64 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=43309 DPT=10405 LEN=9
Dec  6 23:24:47 SRC=91.222.64.189 LEN=29 TOS=0x10 PREC=0x00 TTL=55 ID=50849 PROTO=UDP SPT=25997 DPT=11544 LEN=9
Dec  6 23:24:47 SRC=121.78.145.72 LEN=29 TOS=0x10 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=55705 DPT=19956 LEN=9
Dec  6 23:24:47 SRC=1.223.105.253 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=47195 DPT=45067 LEN=9
Dec  6 23:24:48 SRC=14.32.87.182 LEN=29 TOS=0x10 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=38773 DPT=41837 LEN=9
Dec  6 23:24:48 SRC=175.210.187.221 LEN=29 TOS=0x10 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=55733 DPT=7166 LEN=9
Dec  6 23:24:48 SRC=194.44.237.30 LEN=29 TOS=0x10 PREC=0x00 TTL=58 ID=11654 PROTO=UDP SPT=52883 DPT=23400 LEN=9
Dec  6 23:24:48 SRC=202.143.141.5 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=35101 DPT=52660 LEN=9
Dec  6 23:24:48 SRC=188.92.72.128 LEN=29 TOS=0x10 PREC=0x00 TTL=53 ID=21094 PROTO=UDP SPT=59287 DPT=11819 LEN=9
Dec  6 23:24:48 SRC=187.33.34.114 LEN=29 TOS=0x10 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=42399 DPT=32729 LEN=9
Dec  6 23:24:48 SRC=216.149.178.107 LEN=29 TOS=0x10 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=45068 DPT=10779 LEN=9
Dec  6 23:24:49 SRC=219.118.175.146 LEN=29 TOS=0x10 PREC=0x00 TTL=43 ID=27484 PROTO=UDP SPT=50801 DPT=17777 LEN=9
Dec  6 23:24:49 SRC=84.200.69.69 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=54995 DPT=41746 LEN=9
Dec  6 23:24:49 SRC=188.92.73.107 LEN=29 TOS=0x10 PREC=0x00 TTL=53 ID=9419 PROTO=UDP SPT=59339 DPT=30163 LEN=9
Dec  6 23:24:49 SRC=188.92.77.66 LEN=29 TOS=0x10 PREC=0x00 TTL=53 ID=60588 PROTO=UDP SPT=53340 DPT=48379 LEN=9
Dec  6 23:24:50 SRC=98.101.221.18 LEN=29 TOS=0x10 PREC=0x00 TTL=53 ID=33306 PROTO=UDP SPT=52568 DPT=31206 LEN=9
Dec  6 23:24:51 SRC=68.171.158.204 LEN=29 TOS=0x10 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=29325 DPT=49341 LEN=9
Dec  6 23:24:53 SRC=64.85.250.196 LEN=29 TOS=0x10 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=43655 DPT=46972 LEN=9

another smaller attack

rx: 305.68 Mbit/s 610312 p/s

this one was just 600k pps 🙂

Jan  2 16:12:41 SRC=198.49.66.168 LEN=29 TOS=0x10 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=55210 DPT=27015 LEN=9
Jan  2 16:12:44 SRC=198.101.203.12 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=38023 DPT=27015 LEN=9
Jan  2 16:12:56 SRC=198.101.252.30 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=58359 DPT=27015 LEN=9
Jan  2 16:13:08 SRC=168.61.24.194 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=1024 DPT=27015 LEN=9
Jan  2 16:13:12 SRC=221.123.170.73 LEN=29 TOS=0x10 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=56326 DPT=27015 LEN=9
Jan  2 16:13:15 SRC=173.0.50.121 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=39243 DPT=27015 LEN=9
Jan  2 16:13:19 SRC=108.61.6.138 LEN=29 TOS=0x10 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=42452 DPT=27015 LEN=9
Jan  2 16:15:03 SRC=108.61.6.138 LEN=29 TOS=0x10 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=51661 DPT=27015 LEN=9
Jan  2 16:15:07 SRC=168.61.24.194 LEN=29 TOS=0x10 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=1025 DPT=27015 LEN=9
Jan  2 16:15:12 SRC=198.101.203.12 LEN=29 TOS=0x10 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=51425 DPT=27015 LEN=9

yeah… there’s even a microsoft IP in there… 168.61.24.194 (168.61.0.0/16 – MSFT-EP) … it doesn’t seems to be spoofed and seems to be running ubuntu (openssh2 on port 22) … no idea if that network is being used for azure customers or if that is really hotmail/outlook/msn IP…

got attacked by the same IP on 3rd of december 2012

Dec  3 01:04:11 SRC=168.61.24.194 LEN=29 TOS=0x10 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=1024 DPT=20002 LEN=9

traffic didn’t look spoofed and ttl was correct… additionally seeing same IP attacking two times within a month is a strange coincidence if they were just spoofing…

an even smaller attack (30mbit – 40k pps) targeting the same service but from just a single host:

Jan  3 15:30:32 SRC=84.200.83.182 LEN=29 TOS=0x10 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=33970 DPT=27015 LEN=9

as usual log lines are CET

bite me!

Tags:

Copyright © 2019 evcz.tk All rights reserved. Theme by Laptop Geek.