[nsp-sec] ack'd 2914 Re: DNS Flood to Ultra [NTT-M6906312S] UltraDNS DoS
Fouant, Stefan
Stefan.Fouant at neustar.biz
Wed Apr 1 08:54:41 EDT 2009
Yes it is my belief that it was not spoofed since certain remediation we
implemented to protect against zombies seemed to do the trick. And
based on the observed geographic distribution of the attacking hosts,
the botnet was large enough not to warrant it.
The attack has subsided for the time being.
Thanks all!
Stefan Fouant: NeuStar, Inc.
Principal Network Engineer
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> Sent: Tuesday, March 31, 2009 5:50 PM
> To: Fouant, Stefan
> Cc: NSP-Security
> Subject: RE: [nsp-sec] ack'd 2914 Re: DNS Flood to Ultra [NTT-
> M6906312S] UltraDNS DoS
>
> What I am seeing doesn't appear to be spoofed. The attacking ips are
> coming in the same interface consistently even with non-attack data:)
> Source ports are reasonably random, I don't see a pattern there.
> Packets seem to be ~60-75 bytes.
>
> The is one special port 51413.
> High port static per attacking ip appears to be talking to that port
on
> several ips.
> Not sure this is the c&c but it could be. Looks like a p2p style comms
> it could just be p2p not the control channel.
>
>
>
>
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com gcia
>
>
> >
> > On Tue, Mar 31, 2009 at 10:24:20AM -0400, Fouant, Stefan wrote:
> > > ----------- nsp-security Confidential --------
> > >
> > > Folks,
> > >
> > > Our Ultra sites have been coming under a UDP DNS flood for
> > several hours
> > > sustaining several hundred Mbps from what appears to be a
> > large botnet,
> > > generating queries for silverdollar.com and gocasino.com.
> > Looks like a
> > > dictionary attack. We're currently filtering it right and able to
> > > sustain business operations as usual, but the attack continues.
> > > Wondering if any of you can take a look at any of the
> > botnets and find
> > > out who might be behind this.
> > >
> > > The ranges under attack are:
> > >
> > > 204.74.108.1/32
> > > 204.74.109.1/32
> > > 199.7.68.1/32
> > > 199.7.69.1/32
> > > 204.74.114.1/32
> > > 204.74.115.1/32
> > >
> > > Thanks for any information any of you can provide,
> > >
> > > Stefan Fouant: NeuStar, Inc.
> > > Principal Network Engineer
> > > 46000 Center Oak Plaza Sterling, VA 20166
> > > [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
> > > [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of
> > the nsp-security
> > > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > > _______________________________________________
> >
> > --
> >
> > Tino T. Steward SNA1 - Security & Abuse
> > tsteward at us.ntt.net
> > NTT Communications Global IP Network Operations Center
> >
> > 214-853-7344 (Ph.)
> > 214.800.7771 (Fax)
> >
> > AUP online:
> > http://www.nttamerica.com/legal/internet/acceptable_policy.html
> > AUP online: http://www.ntt.net/library/pdf/AUP.pdf
> >
> > Check http://www.cert.org for some of the latest documented
> > exploits and your OS manufacturer for the latest security patches.
> >
> > Intruder detection:
> > http://www.cert.org/tech_tips/intruder_detection_checklist.html
> >
> > Latest viruses: http://www.cert.org
> >
> > Recovering from a compromised host:
> > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
> >
More information about the nsp-security
mailing list