Virus Tracker under 1 Gbps ddos attack

Yesterday one of our Virus Tracker sinkhole server was under a nice 1 Gbit/s ddos attack combined of ICMP, UDP and TCP ddos for a few minutes. The ddos attack wouldn’t have necessarily impacted our server, however the datacenter preventively null-routed the IP for 2 hours. We haven’t received any claims of responsibility, however, it is evident that someone is not happy with our operations.

1 source IP which served a 11.4 Mbit UDP ddos is a government military IP – which is possibly though a false positive as IPs can be spoofed in UDP packets. There are still many ISPs out that route such packets from your connection outgoing.

We are only aware of 1 IP that executed the TCP ddos attack (all the others participated only in ICMP and UDP attacks), which is an active Sality infection. This could be a coincidence, or the Sality operators are angry on us and used their botnet to launch the ddos attack.

This is a screenshot of 2 days traffic on the particular Virus Tracker server.

Ddos 1

And a screenshot over the time frame yesterday:

Ddos 2

Below details on the top 10 attacker IPs. We have redacted some IPs as we still investigating more details and do not want anyone to interfere with it at the current point.

 Top 10 flows by bits per second for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.067 UDP      178.78.246.45     53  62933     2048    30567  370.2 M
     0.008 TCP       [redacted]    54245     80     2048   255999  281.6 M
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
     0.019 ICMP    94.203.140.192      5    0.1     3072   161684   90.5 M
     0.340 UDP       178.47.45.22     53  62933     2048     6023   73.0 M
    98.668 UDP     209.119.225.25     53  12162   421888     4275   51.8 M
   179.829 UDP      162.249.122.2     53  12162   753664     4191   50.8 M
    98.318 UDP     209.122.107.49     53  12162   411648     4186   50.7 M
    98.282 UDP          80.73.1.1     53  12162   387072     3938   47.7 M
    97.400 UDP     216.174.102.25     53  12162   367616     3774   45.7 M

 Top 10 flows by packets per pecond for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.008 TCP       [redacted]    54245     80     2048   255999  281.6 M
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
     0.019 ICMP    94.203.140.192      5    0.1     3072   161684   90.5 M
     0.069 ICMP     94.231.13.165      5    0.1     4096    59362   33.2 M
     0.039 ICMP     94.203.96.121      5    0.1     2048    52512   29.4 M
     0.045 ICMP    223.19.249.167      5    0.1     2048    45511   25.5 M
     0.066 UDP       5.175.146.31  21807     53     2048    31030   16.1 M
     0.067 UDP      178.78.246.45     53  62933     2048    30567  370.2 M
     0.243 ICMP    209.55.123.196      5    0.1     6144    25283   14.2 M
     0.088 UDP       [redacted]     9704  35133     2048    23272   11.4 M
 
 Top 10 flows by flows per second for dst IP: 69.195.129.70
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
   101.264 UDP      204.145.94.87  47446     80   16.4 M   161794  119.1 M
   179.829 UDP      162.249.122.2     53  12162   753664     4191   50.8 M
   179.079 UDP    162.242.221.105     53  12162   701440     3916   19.2 M
   179.675 UDP      5.144.137.103     53  12162   474112     2638   32.0 M
    98.668 UDP     209.119.225.25     53  12162   421888     4275   51.8 M
    98.318 UDP     209.122.107.49     53  12162   411648     4186   50.7 M
    98.683 UDP     209.134.54.161     53  12162   410624     4161   23.3 M
    98.281 UDP     162.243.233.43     53  12162   397312     4042    2.5 M
    98.282 UDP          80.73.1.1     53  12162   387072     3938   47.7 M
    97.954 UDP     162.220.11.230     53  12162   375808     3836    2.4 M