[nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 getting love.

Chris Morrow morrowc at ops-netman.net
Thu Apr 9 14:30:08 EDT 2009 


On Thu, 9 Apr 2009, Hank Nussbacher wrote:

> ----------- nsp-security Confidential --------
>
> On Thu, 9 Apr 2009, Scott A. McIntyre wrote:
>
> I am curious whether the Cisco Guard can mitigate these attacks?

flex filter, and/or just being a cache seemed to do the trick when last I 
tried...

Course maybe the next option is to also ask .info to kill this domain 
(though we're waiting a week for the caches to tll-expire)

-Chris

>
> Thanks,
> Hank
>
>> ----------- nsp-security Confidential --------
>> 
>> Hi,
>> 
>> About an hour ago we started seeing a pretty big uptick in packets heading 
>> for 67.21.67.126 -- Usual MO, spoofed sources in a DNS amplification 
>> attack. Domain being queried is:
>> 
>> 
>> turan-online.info
>> 
>> 
>> TXT records:
>> 
>> ;; ANSWER SECTION:
>> turan-online.info.	824086	IN	TXT 
>> "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj"
>> turan-online.info.	824086	IN	TXT 
>> "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn"
>> turan-online.info.	824086	IN	TXT 
>> "ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"
>> 
>> 
>> And so on.
>> 
>> 2009-04-09 05:53:58.506 UTC+0200 is the start time here.
>> 
>> We're seeing about 8-9000 packets per second of the spoofed queries, so I 
>> can imagine the total pain is pretty reasonable.  Target:
>> 
>> AS      | IP               | AS Name
>> 46844   | 67.21.67.126     | ST-BGP - SHARKTECH INTERNET SERVICES
>> 
>> You may want to check for flows from open/recursive resolvers which are 
>> adding to the attack.
>> 
>> Authoritative NS hosts for turan-online.info are:
>> 
>> AS      | IP               | AS Name
>> 21448   | 195.69.95.204    | MWIL 
>> ==========================================
>> 21448   | 195.69.95.114    | MWIL 
>> ==========================================
>> 21448   | 195.69.95.112    | MWIL 
>> ==========================================
>> 
>> 
>> Regards,
>> 
>> Scott A. McIntyre
>> XS4ALL Internet
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security 
>> counter-measures.
>> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list