Re: MSUDenver seeing potential bot-net DDOS

[Frank Barton <bartonf () HUSSON EDU>]

Thank you Mike.

A quick SPLUNKing later, and I'm seeing some, traffic (looks like
'spray-and-pray' looking for vulnerabilities)

interesting distribution of destination ports.
[image: image.png]

On Wed, Apr 3, 2019 at 12:23 PM Hart, Michael <mhart20 () msudenver edu> wrote:

> Our institution is being hammered pretty hard right now from a large
> number of source IPs.  We’re working with our ISP to sinkhole as many of
> the sources as possible, but our tools are pretty hamstrung from the flood
> of traffic until the ISP can stop if from hitting our network.
>
>
>
> We’re in the midst of response, so I don’t have a curated list with
> reputations or heavy analysis, but the heavy hitters are coming from the
> following list of IPs:
>
>
>
> 12.13.147.195
>
> 134.209.164.39
>
> 142.93.151.87
>
> 149.28.137.69
>
> 159.89.176.225
>
> 172.248.5.200
>
> 177.11.137.4
>
> 177.126.18.199
>
> 185.200.118.83
>
> 188.19.137.210
>
> 190.104.198.230
>
> 190.145.99.75
>
> 193.106.29.106
>
> 201.80.131.158
>
> 206.189.181.12
>
> 207.244.86.222
>
> 66.240.205.34
>
> 92.53.65.2
>
> 92.53.65.3
>
>
>
> We’ll keep you updated if we find out more.  Just wanted to share in case
> you’re seeing any similar traffic.
>
>
>
>
>
> *Mike Hart  | CISO, Director of ITS Security, Infrastructure, and
> Networking*
>
> *Metropolitan State University of Denver Information Technology Services*
> Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362
> Admin Building - 1201 5th Street 480E  Denver, CO 80204
> 303-615-0541 (Office)
> 303-352-7548 (Help Desk)
> mhart20 () msudenver edu | www.msudenver.edu/technology
>
>
>
> [image: University_Formal_2CPos184x]


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University