[nsp-sec] Hijacked DNS Flows towards 85.255.112.0/24 (ASN 36445)

Smith, Donald Donald.Smith at qwest.com
Mon Feb 25 10:44:50 EST 2008 

I have no explanation for it but on 2/17/08 85.255.112.* had zero dns
(udp port 53) flow records in my netflow.


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> White, Gerard
> Sent: Monday, February 25, 2008 8:17 AM
> To: NSP-SEC
> Subject: [nsp-sec] Hijacked DNS Flows towards 85.255.112.0/24 
> (ASN 36445)
> 
> ----------- nsp-security Confidential --------
> 
> Greetings
> 
>  
> 
> After a 96 hr "analysis", its _easier_ to list the /32's in this /24
> that are NOT involved in Hijacked DNS
> 
> Flows:
> 
>  
> 
> 85.255.112.0 - 85.255.112.4
> 
> 85.255.112.14
> 
> 85.255.112.17
> 
> 85.255.112.18
> 
> 85.255.112.22
> 
> 85.255.112.27 - 85.255.112.59
> 
> 85.255.112.67 - 85.255.112.69
> 
> 85.255.112.72
> 
> 85.255.112.74
> 
> 85.255.112.79
> 
> 85.255.112.80
> 
> 85.255.112.100
> 
> 85.255.112.105
> 
> 85.255.112.113
> 
> 85.255.112.114
> 
> 85.255.112.120
> 
> 85.255.112.121
> 
> 85.255.112.136
> 
> 85.255.112.145 - 85.255.112.147
> 
> 85.255.112.160 - 85.255.112.164
> 
> 85.255.112.182
> 
> 85.255.112.191 - 85.255.112.193
> 
> 85.255.112.199
> 
> 85.255.112.204
> 
> 85.255.112.208 - 85.255.112.211
> 
> 85.255.112.215 - 85.255.112.217
> 
> 85.255.112.219
> 
> 85.255.112.224
> 
> 85.255.112.227
> 
> 85.255.112.229
> 
> 85.255.112.233
> 
> 85.255.112.235
> 
> 85.255.112.238 - 85.255.112.255
> 
>  
> 
> 3 other prefixes coming from 27595:
> 
> 85.255.113.0/24
> 
> 85.255.114.0/23
> 
> 85.255.116.0/23 (only the 85.255.116.0/24 subnet is fausty)
> 
> Have their share of /32's as well, but nothing _close_ to the 
> density of
> flows towards 85.255.112.0/24
> 
>  
> 
> Computing the Evil ratio for this 85.255.112.0/24 prefix is left as an
> exercise for the reader ;)
> 
>  
> 
> GW
> 
> 855 - Bell Aliant
> 
>  
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list