[nsp-sec] Hijacked DNS Flows towards 85.255.112.0/24 (ASN 36445)

Mon Feb 25 10:53:13 EST 2008

And nothing today either?
So it appears our customers have quit using the 85.255.112.* network for
dns resolution.

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Monday, February 25, 2008 8:45 AM
> To: White, Gerard; NSP-SEC
> Subject: Re: [nsp-sec] Hijacked DNS Flows towards 
> 85.255.112.0/24 (ASN 36445)
> 
> ----------- nsp-security Confidential --------
> 
> I have no explanation for it but on 2/17/08 85.255.112.* had zero dns
> (udp port 53) flow records in my netflow.
> 
> 
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > White, Gerard
> > Sent: Monday, February 25, 2008 8:17 AM
> > To: NSP-SEC
> > Subject: [nsp-sec] Hijacked DNS Flows towards 85.255.112.0/24 
> > (ASN 36445)
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Greetings
> > 
> >  
> > 
> > After a 96 hr "analysis", its _easier_ to list the /32's in this /24
> > that are NOT involved in Hijacked DNS
> > 
> > Flows:
> > 
> >  
> > 
> > 85.255.112.0 - 85.255.112.4
> > 
> > 85.255.112.14
> > 
> > 85.255.112.17
> > 
> > 85.255.112.18
> > 
> > 85.255.112.22
> > 
> > 85.255.112.27 - 85.255.112.59
> > 
> > 85.255.112.67 - 85.255.112.69
> > 
> > 85.255.112.72
> > 
> > 85.255.112.74
> > 
> > 85.255.112.79
> > 
> > 85.255.112.80
> > 
> > 85.255.112.100
> > 
> > 85.255.112.105
> > 
> > 85.255.112.113
> > 
> > 85.255.112.114
> > 
> > 85.255.112.120
> > 
> > 85.255.112.121
> > 
> > 85.255.112.136
> > 
> > 85.255.112.145 - 85.255.112.147
> > 
> > 85.255.112.160 - 85.255.112.164
> > 
> > 85.255.112.182
> > 
> > 85.255.112.191 - 85.255.112.193
> > 
> > 85.255.112.199
> > 
> > 85.255.112.204
> > 
> > 85.255.112.208 - 85.255.112.211
> > 
> > 85.255.112.215 - 85.255.112.217
> > 
> > 85.255.112.219
> > 
> > 85.255.112.224
> > 
> > 85.255.112.227
> > 
> > 85.255.112.229
> > 
> > 85.255.112.233
> > 
> > 85.255.112.235
> > 
> > 85.255.112.238 - 85.255.112.255
> > 
> >  
> > 
> > 3 other prefixes coming from 27595:
> > 
> > 85.255.113.0/24
> > 
> > 85.255.114.0/23
> > 
> > 85.255.116.0/23 (only the 85.255.116.0/24 subnet is fausty)
> > 
> > Have their share of /32's as well, but nothing _close_ to the 
> > density of
> > flows towards 85.255.112.0/24
> > 
> >  
> > 
> > Computing the Evil ratio for this 85.255.112.0/24 prefix is 
> left as an
> > exercise for the reader ;)
> > 
> >  
> > 
> > GW
> > 
> > 855 - Bell Aliant
> > 
> >  
> > 
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security
> > community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> > 
> > 
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 