Educause Security Discussion mailing list archives

Re: MSUDenver seeing potential bot-net DDOS

From: "Hart, Michael" <mhart20 () MSUDENVER EDU>
Date: Wed, 3 Apr 2019 17:22:29 +0000

Thanks, Frank.  We’ll add this to our analysis.  Things are much better here, now.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Wednesday, April 3, 2019 10:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MSUDenver seeing potential bot-net DDOS

Thank you Mike.

A quick SPLUNKing later, and I'm seeing some, traffic (looks like 'spray-and-pray' looking for vulnerabilities)

interesting distribution of destination ports.
[image.png]

On Wed, Apr 3, 2019 at 12:23 PM Hart, Michael <mhart20 () msudenver edu<mailto:mhart20 () msudenver edu>> wrote:
Our institution is being hammered pretty hard right now from a large number of source IPs.  We’re working with our ISP 
to sinkhole as many of the sources as possible, but our tools are pretty hamstrung from the flood of traffic until the 
ISP can stop if from hitting our network.

We’re in the midst of response, so I don’t have a curated list with reputations or heavy analysis, but the heavy 
hitters are coming from the following list of IPs:

12.13.147.195
134.209.164.39
142.93.151.87
149.28.137.69
159.89.176.225
172.248.5.200
177.11.137.4
177.126.18.199
185.200.118.83
188.19.137.210
190.104.198.230
190.145.99.75
193.106.29.106
201.80.131.158
206.189.181.12
207.244.86.222
66.240.205.34
92.53.65.2
92.53.65.3

We’ll keep you updated if we find out more.  Just wanted to share in case you’re seeing any similar traffic.

Mike Hart  | CISO, Director of ITS Security, Infrastructure, and Networking
Metropolitan State University of Denver
Information Technology Services
Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362
Admin Building - 1201 5th Street 480E  Denver, CO 80204
303-615-0541 (Office)
303-352-7548 (Help Desk)
mhart20 () msudenver edu<mailto:mhart20 () msudenver edu> | 
www.msudenver.edu/technology<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msudenver.edu%2Ftechnology&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C36796ee6c23a41cdb41108d6b8531cb1%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636899064463220662&sdata=D6I7b914X7L0%2F7NMO4tW1tKxmcjQVE4DXVTEaa8e5s0%3D&reserved=0>

[University_Formal_2CPos184x]

--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

Current thread:

MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
  - Re: MSUDenver seeing potential bot-net DDOS Frank Barton (Apr 03)
  - Re: MSUDenver seeing potential bot-net DDOS Hart, Michael (Apr 03)
- <Possible follow-ups>
- Re: MSUDenver seeing potential bot-net DDOS Joseph Tam (Apr 03)