[nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 getting love.

Hank Nussbacher hank at efes.iucc.ac.il
Thu Apr 9 14:03:50 EDT 2009 

On Thu, 9 Apr 2009, Scott A. McIntyre wrote:

I am curious whether the Cisco Guard can mitigate these attacks?

Thanks,
Hank

> ----------- nsp-security Confidential --------
>
> Hi,
>
> About an hour ago we started seeing a pretty big uptick in packets heading 
> for 67.21.67.126 -- Usual MO, spoofed sources in a DNS amplification attack. 
> Domain being queried is:
>
>
> turan-online.info
>
>
> TXT records:
>
> ;; ANSWER SECTION:
> turan-online.info.	824086	IN	TXT 
> "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj"
> turan-online.info.	824086	IN	TXT 
> "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn"
> turan-online.info.	824086	IN	TXT 
> "ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"
>
>
> And so on.
>
> 2009-04-09 05:53:58.506 UTC+0200 is the start time here.
>
> We're seeing about 8-9000 packets per second of the spoofed queries, so I can 
> imagine the total pain is pretty reasonable.  Target:
>
> AS      | IP               | AS Name
> 46844   | 67.21.67.126     | ST-BGP - SHARKTECH INTERNET SERVICES
>
> You may want to check for flows from open/recursive resolvers which are 
> adding to the attack.
>
> Authoritative NS hosts for turan-online.info are:
>
> AS      | IP               | AS Name
> 21448   | 195.69.95.204    | MWIL ==========================================
> 21448   | 195.69.95.114    | MWIL ==========================================
> 21448   | 195.69.95.112    | MWIL ==========================================
>
>
> Regards,
>
> Scott A. McIntyre
> XS4ALL Internet
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list