[nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 getting love.
Scott A. McIntyre
scott at xs4all.net
Thu Apr 9 01:08:07 EDT 2009
Hi,
About an hour ago we started seeing a pretty big uptick in packets
heading for 67.21.67.126 -- Usual MO, spoofed sources in a DNS
amplification attack. Domain being queried is:
turan-online.info
TXT records:
;; ANSWER SECTION:
turan-online.info. 824086 IN
TXT
"jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
"
turan-online.info. 824086 IN
TXT
"nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
"
turan-online.info. 824086 IN
TXT
"ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
"
And so on.
2009-04-09 05:53:58.506 UTC+0200 is the start time here.
We're seeing about 8-9000 packets per second of the spoofed queries,
so I can imagine the total pain is pretty reasonable. Target:
AS | IP | AS Name
46844 | 67.21.67.126 | ST-BGP - SHARKTECH INTERNET SERVICES
You may want to check for flows from open/recursive resolvers which
are adding to the attack.
Authoritative NS hosts for turan-online.info are:
AS | IP | AS Name
21448 | 195.69.95.204 | MWIL
==========================================
21448 | 195.69.95.114 | MWIL
==========================================
21448 | 195.69.95.112 | MWIL
==========================================
Regards,
Scott A. McIntyre
XS4ALL Internet
More information about the nsp-security
mailing list