[nsp-sec] Suspicious DNS Activity

Mike Lewinski mike at rockynet.com
Wed Jul 30 12:51:57 EDT 2008 

White, Gerard wrote:

> The following source is doing a continuious, repetitive Type 255
> (Request all records) request
> to the tune of 10-30 QPS on some of our patched servers:
> 
> AS      | IP               | AS Name
> 25535   | 194.85.88.199    | ASN-RUCENTER-HOSTING Hosting Traffic
> exchange

We're seeing the same here, mainly against customer resolvers.

Jul 30 10:50:57.036381 194.85.88.199.4780 > 204.188.103.11.53: 44050+ 
ANY? . (17)
Jul 30 10:50:57.041371 194.85.88.199.2554 > 204.188.104.114.53: 64009+ 
ANY? . (17)
Jul 30 10:50:57.073822 194.85.88.199.49772 > 207.174.202.18.53: 27842+ 
ANY? . (17)
Jul 30 10:50:57.097190 194.85.88.199.30483 > 207.174.202.18.53: 4983+ 
ANY? . (17)
Jul 30 10:50:57.213220 194.85.88.199.22965 > 207.174.201.190.53: 46425+ 
ANY? . (17)
Jul 30 10:50:57.333343 194.85.88.199.45709 > 207.174.72.211.53: 36274+ 
ANY? . (17)
Jul 30 10:50:57.460359 194.85.88.199.55553 > 207.174.72.211.53: 473+ 
ANY? . (17)
Jul 30 10:50:57.539647 194.85.88.199.58295 > 204.188.104.114.53: 47075+ 
ANY? . (17)
Jul 30 10:50:57.735860 194.85.88.199.44858 > 204.188.106.44.53: 15023+ 
ANY? . (17)
Jul 30 10:50:57.777198 194.85.88.199.41978 > 207.174.141.110.53: 64163+ 
ANY? . (17)
Jul 30 10:50:58.064978 194.85.88.199.41670 > 207.174.72.211.53: 50850+ 
ANY? . (17)
Jul 30 10:50:58.125093 194.85.88.199.58918 > 207.174.201.189.53: 9958+ 
ANY? . (17)
Jul 30 10:50:58.163833 194.85.88.199.43911 > 207.174.201.190.53: 34731+ 
ANY? . (17)
Jul 30 10:50:58.388504 194.85.88.199.35317 > 207.174.130.58.53: 62857+ 
ANY? . (17)
Jul 30 10:50:58.403582 194.85.88.199.18537 > 204.188.104.114.53: 26952+ 
ANY? . (17)
Jul 30 10:50:58.416569 194.85.88.199.39861 > 207.174.72.211.53: 46491+ 
ANY? . (17)
Jul 30 10:50:58.451611 194.85.88.199.5912 > 207.174.201.189.53: 6167+ 
ANY? . (17)
Jul 30 10:50:58.509030 194.85.88.199.21730 > 208.139.195.126.53: 57940+ 
ANY? . (17)
Jul 30 10:50:58.534695 194.85.88.199.24002 > 204.188.97.246.53: 49757+ 
ANY? . (17)
Jul 30 10:50:58.566545 194.85.88.199.19811 > 208.139.195.126.53: 25421+ 
ANY? . (17)
Jul 30 10:50:58.576732 194.85.88.199.5456 > 204.188.106.44.53: 20501+ 
ANY? . (17)
Jul 30 10:50:58.608085 194.85.88.199.3510 > 207.174.201.190.53: 46605+ 
ANY? . (17)
Jul 30 10:50:58.636551 194.85.88.199.30033 > 204.188.104.114.53: 20853+ 
ANY? . (17)
Jul 30 10:50:58.845439 194.85.88.199.19765 > 204.188.104.114.53: 13645+ 
ANY? . (17)
Jul 30 10:50:58.880188 194.85.88.199.55517 > 207.174.130.58.53: 56792+ 
ANY? . (17)
Jul 30 10:50:58.914940 194.85.88.199.23426 > 204.188.106.44.53: 33371+ 
ANY? . (17)
Jul 30 10:50:58.915637 194.85.88.199.29396 > 204.188.104.114.53: 54386+ 
ANY? . (17)
Jul 30 10:50:59.010795 194.85.88.199.22501 > 204.188.106.44.53: 58711+ 
ANY? . (17)

More information about the nsp-security mailing list