[nsp-sec] Hijacked DNS Flows towards 85.255.112.0/24 (ASN 36445)
Stephen Gill
gillsr at cymru.com
Mon Feb 25 10:28:54 EST 2008
Doesn't seem to have changed much since the post on Sept 23, 2007 here
except for the Origin ASN:
[ ... ]
The last brief audit we did looking for rogue DNS servers in that neck of
the woods (August 26, 2007) we found the following:
count prefix as
1 81.95.148.0/22 40989 (RBN)
5 69.31.80.0/21 26627 (Pilosoft)
17 69.31.52.0/23 26627 (Pilosoft)
55 85.255.113.0/24 27595 (Intercage)
56 64.28.176.0/20 27595 (Intercage)
110 69.50.160.0/19 27595 (Intercage)
131 85.255.116.0/23 27595 (Intercage)
181 85.255.114.0/23 27595 (Intercage)
194 216.255.176.0/20 27595 (Intercage)
222 85.255.112.0/24 26627 (Pilosoft)
--
Stephen Gill, Research Fellow, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
[ ... ]
On 2/25/08 8:17 AM, "White, Gerard" <Gerard.White at aliant.ca> wrote:
> ----------- nsp-security Confidential --------
>
> Greetings
>
>
>
> After a 96 hr "analysis", its _easier_ to list the /32's in this /24
> that are NOT involved in Hijacked DNS
>
> Flows:
>
>
>
> 85.255.112.0 - 85.255.112.4
>
> 85.255.112.14
>
> 85.255.112.17
>
> 85.255.112.18
>
> 85.255.112.22
>
> 85.255.112.27 - 85.255.112.59
>
> 85.255.112.67 - 85.255.112.69
>
> 85.255.112.72
>
> 85.255.112.74
>
> 85.255.112.79
>
> 85.255.112.80
>
> 85.255.112.100
>
> 85.255.112.105
>
> 85.255.112.113
>
> 85.255.112.114
>
> 85.255.112.120
>
> 85.255.112.121
>
> 85.255.112.136
>
> 85.255.112.145 - 85.255.112.147
>
> 85.255.112.160 - 85.255.112.164
>
> 85.255.112.182
>
> 85.255.112.191 - 85.255.112.193
>
> 85.255.112.199
>
> 85.255.112.204
>
> 85.255.112.208 - 85.255.112.211
>
> 85.255.112.215 - 85.255.112.217
>
> 85.255.112.219
>
> 85.255.112.224
>
> 85.255.112.227
>
> 85.255.112.229
>
> 85.255.112.233
>
> 85.255.112.235
>
> 85.255.112.238 - 85.255.112.255
>
>
>
> 3 other prefixes coming from 27595:
>
> 85.255.113.0/24
>
> 85.255.114.0/23
>
> 85.255.116.0/23 (only the 85.255.116.0/24 subnet is fausty)
>
> Have their share of /32's as well, but nothing _close_ to the density of
> flows towards 85.255.112.0/24
>
>
>
> Computing the Evil ratio for this 85.255.112.0/24 prefix is left as an
> exercise for the reader ;)
>
>
>
> GW
>
> 855 - Bell Aliant
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list