[nsp-sec] DNS Flood to Ultra - Updated list - looking for the malware - some IPs potentially spoofed

Nicholas Ianelli ni at centergate.net
Thu Apr 2 22:02:10 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team,

I've spoken to at least three different parties who have given the
indication that at least some of the below IPs are most likely being
spoofed.

Taking that into consideration I'd prefer not to waste anyone's time. I
sorted the list and have only grabbed IPs that have had at least 20 hits
within a ten minute period.

> Targeting: 204.74.66.131 and 204.74.67.131 - port 53/UDP
> Date of traffic: 2009.04.02
> Time: between 20:08 - 20:18 GMT


  20 190.148.148.49
  20 190.20.142.19
  20 200.11.248.12
  20 200.125.184.3
  21 66.178.31.205
  22 190.148.96.125
  22 190.224.121.67
  22 200.21.123.82
  23 200.49.21.53
  24 190.138.80.18
  24 190.72.193.180
  24 190.96.183.110
  26 190.254.167.22
  27 190.20.3.85
  27 190.29.0.24
  27 190.66.182.40
  28 189.3.182.210
  29 201.217.52.114
  30 190.60.90.50
  31 190.139.11.153
  31 190.201.226.198
  31 190.24.213.248
  32 190.205.127.8
  32 190.72.114.209
  32 81.34.21.2
  34 201.211.0.37
  35 200.241.244.4
  36 88.229.145.23
  36 90.39.163.176
  38 190.24.214.208
  38 190.50.167.60
  40 190.22.116.239
  41 190.76.95.97
  41 201.223.39.12
  41 201.246.147.214
  41 85.58.51.47
  41 91.107.92.181
  43 189.52.126.254
  43 190.40.27.145
  44 190.22.152.91
  44 66.98.21.244
  45 190.138.110.162
  49 201.230.102.99
  49 201.246.95.169
  50 190.20.0.40
  51 189.10.54.242
  51 201.244.163.113
  52 200.28.88.181
  56 190.232.164.108
  56 201.223.172.222
  65 200.119.44.6
  70 190.22.145.43
 123 200.43.223.194

3215    | 90.39.163.176    | AS3215 France Telecom - Orange
3352    | 81.34.21.2       | TELEFONICA-DATA-ESPANA Internet Access
Network of TDE
3816    | 190.254.167.22   | COLOMBIA TELECOMUNICACIONES S.A. ESP
3816    | 190.66.182.40    | COLOMBIA TELECOMUNICACIONES S.A. ESP
3816    | 200.21.123.82    | COLOMBIA TELECOMUNICACIONES S.A. ESP
4230    | 189.3.182.210    | Embratel
4230    | 189.52.126.254   | Embratel
4230    | 200.241.244.4    | Embratel
6147    | 190.232.164.108  | Telefonica del Peru S.A.A.
6147    | 190.40.27.145    | Telefonica del Peru S.A.A.
6147    | 201.230.102.99   | Telefonica del Peru S.A.A.
6400    | 66.98.21.244     | Compañía Dominicana de Teléfonos, C. por
A. - CODETEL
6471    | 200.49.21.53     | ENTEL CHILE S.A.
7303    | 190.138.110.162  | Telecom Argentina S.A.
7303    | 190.138.80.18    | Telecom Argentina S.A.
7303    | 190.139.11.153   | Telecom Argentina S.A.
7303    | 190.224.121.67   | Telecom Argentina S.A.
7303    | 200.43.223.194   | Telecom Argentina S.A.
7418    | 190.20.0.40      | Terra Networks Chile S.A.
7418    | 190.20.142.19    | Terra Networks Chile S.A.
7418    | 190.20.3.85      | Terra Networks Chile S.A.
7418    | 190.22.116.239   | Terra Networks Chile S.A.
7418    | 190.22.145.43    | Terra Networks Chile S.A.
7418    | 190.22.152.91    | Terra Networks Chile S.A.
7418    | 200.28.88.181    | Terra Networks Chile S.A.
7418    | 201.223.172.222  | Terra Networks Chile S.A.
7418    | 201.223.39.12    | Terra Networks Chile S.A.
7418    | 201.246.147.214  | Terra Networks Chile S.A.
7418    | 201.246.95.169   | Terra Networks Chile S.A.
8048    | 190.201.226.198  | CANTV Servicios, Venezuela
8048    | 190.205.127.8    | CANTV Servicios, Venezuela
8048    | 190.72.114.209   | CANTV Servicios, Venezuela
8048    | 190.72.193.180   | CANTV Servicios, Venezuela
8048    | 190.76.95.97     | CANTV Servicios, Venezuela
8048    | 200.11.248.12    | CANTV Servicios, Venezuela
8048    | 201.211.0.37     | CANTV Servicios, Venezuela
8065    | 190.29.0.24      | EPM Telecomunicaciones S.A. E.S.P.
8167    | 189.10.54.242    | TELESC - Telecomunicacoes de Santa Catarina SA
9121    | 88.229.145.23    | TTNET TTnet Autonomous System
12479   | 85.58.51.47      | UNI2-AS Uni2 Autonomous System
14754   | 190.148.96.125   | Telgua
16422   | 66.178.31.205    | NEWSKIES-NETWORKS - New Skies Satellites, Inc.
18747   | 190.60.90.50     | IFX-NW - IFX Communication Ventures, Inc.
19429   | 190.24.213.248   | ETB - Colombia
19429   | 190.24.214.208   | ETB - Colombia
19429   | 200.119.44.6     | ETB - Colombia
19429   | 201.244.163.113  | ETB - Colombia
22368   | 190.96.183.110   | TELEBUCARAMANGA S.A. E.S.P.
22927   | 190.50.167.60    | Telefonica de Argentina
27768   | 201.217.52.114   | CO.PA.CO.
28007   | 200.125.184.3    | Gold Data C.A.
35736   | 91.107.92.181    | WUK-AS Wanadoo UK

https://asn.cymru.com/nsp-sec/upload/1238724030.whois.txt


Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> Team,
> 
> I have an updated list of ASNs still sending packets towards our DNS
> servers. Granted it is extremely less then before, but it is still
> occurring.
> 
> I am really trying to track down the malware. I am more than happy to
> speak with any of your customers, if this sounds doable, I'll pass you a
> phone number and you can have them call me if you want.
> 
> I have the actual flow if you need it, just drop me a line with the IP
> addresses in question and it's yours.
> 
> 

> 
> There are 555 ASNs represented in this list:
> 
> https://asn.cymru.com/nsp-sec/upload/1238706285.whois.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknVbiIACgkQi10dJIBjZICSSQCglX9Ilaxd5GU2Gama0WROx4gk
6XIAnjn+0Dbu3lXe09gGHDfGsTqfphZ1
=oPIu
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list