[nsp-sec] Possible MX query reflection attack to 212.241.192.20
Felix Schueren
felix.schueren at hosteurope.de
Wed Mar 19 05:03:45 EDT 2008
Hi John,
John Kristoff wrote:
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> We're seeing an unreasonably higher than normal rate of MX queries for
> l2refused largely from 212.241.192.20. Looks like it might be some sort
> of spoofed reflector attack against 212.241.192.20. We are mostly
> seeing the traffic out of Europe, not a lot, but enough to be noticeable.
> I sent a note off to felix at Host Europe, but perhaps some folks like
> the PIPEX or guys could take a look and see? Thanks as always,
>
my 1/1000 sampling shows nothing out of the ordinary, see attached.
That's all the packets I can see in my sampling for the last 24h - is
this still ongoing? If so, I'll try and arrange live pcaping the actual
host, but it looks spoofed.
Kind regards,
Felix
PS: I just checked the whole last week of sampling for this host:
Dst IP Addr Bytes Packets
210.188.217.208 965 9
67.225.130.59 2052 7
201.116.14.99 1268 5
62.193.246.160 40 1
212.241.104.154 40 1
212.241.75.149 40 1
202.168.206.88 40 1
seems pretty much unused :p
--
Felix Schueren, Head of NOC
mailto:felix.schueren at hosteurope.de
Host Europe GmbH - http://www.hosteurope.de
Welserstrasse 14 - D-51149 Koeln - Germany
Telefon (0800) 4678387 - Telefax (01805) 663233
HRB 28495 Amtsgericht Koeln - UST ID DE187370678
Geschaeftsfuehrer: Uwe Braun - Patrick Pulvermueller -
Mike Read - Stewart Porter
Fuer diese Nachricht gilt: http://www.hosteurope.de/disclaimer.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2008-03-19_212.241.192.20.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080319/16b05506/attachment-0001.txt>
More information about the nsp-security
mailing list