Educause Security Discussion mailing list archives
Re: MSUDenver seeing potential bot-net DDOS
From: "Hart, Michael" <mhart20 () MSUDENVER EDU>
Date: Wed, 3 Apr 2019 17:22:29 +0000
Thanks, Frank. We’ll add this to our analysis. Things are much better here, now. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton Sent: Wednesday, April 3, 2019 10:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] MSUDenver seeing potential bot-net DDOS Thank you Mike. A quick SPLUNKing later, and I'm seeing some, traffic (looks like 'spray-and-pray' looking for vulnerabilities) interesting distribution of destination ports. [image.png] On Wed, Apr 3, 2019 at 12:23 PM Hart, Michael <mhart20 () msudenver edu<mailto:mhart20 () msudenver edu>> wrote: Our institution is being hammered pretty hard right now from a large number of source IPs. We’re working with our ISP to sinkhole as many of the sources as possible, but our tools are pretty hamstrung from the flood of traffic until the ISP can stop if from hitting our network. We’re in the midst of response, so I don’t have a curated list with reputations or heavy analysis, but the heavy hitters are coming from the following list of IPs: 12.13.147.195 134.209.164.39 142.93.151.87 149.28.137.69 159.89.176.225 172.248.5.200 177.11.137.4 177.126.18.199 185.200.118.83 188.19.137.210 190.104.198.230 190.145.99.75 193.106.29.106 201.80.131.158 206.189.181.12 207.244.86.222 66.240.205.34 92.53.65.2 92.53.65.3 We’ll keep you updated if we find out more. Just wanted to share in case you’re seeing any similar traffic. Mike Hart | CISO, Director of ITS Security, Infrastructure, and Networking Metropolitan State University of Denver Information Technology Services Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5th Street 480E Denver, CO 80204 303-615-0541 (Office) 303-352-7548 (Help Desk) mhart20 () msudenver edu<mailto:mhart20 () msudenver edu> | www.msudenver.edu/technology<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msudenver.edu%2Ftechnology&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C36796ee6c23a41cdb41108d6b8531cb1%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636899064463220662&sdata=D6I7b914X7L0%2F7NMO4tW1tKxmcjQVE4DXVTEaa8e5s0%3D&reserved=0> [University_Formal_2CPos184x] -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- <Possible follow-ups>
- Re: MSUDenver seeing potential bot-net DDOS Joseph Tam (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)