[nsp-sec] Speaking of DNS DDoS ... 67.21.67.126 getting love.

Stephen Gill gillsr at cymru.com
Thu Apr 9 18:44:15 EDT 2009 

I think we might have a new record.

At a cursory glance it looks like over 1 MILLION open recursive servers were
used for this attack.

Now to noddle on some ideas to deal with this mess :(

-- steve

On 4/8/09 10:08 PM, "Scott A. McIntyre" <scott at xs4all.net> wrote:

> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> About an hour ago we started seeing a pretty big uptick in packets
> heading for 67.21.67.126 -- Usual MO, spoofed sources in a DNS
> amplification attack.  Domain being queried is:
> 
> 
> turan-online.info
> 
> 
> TXT records:
> 
> ;; ANSWER SECTION:
> turan-online.info. 824086 IN 
> TXT 
> "jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
> jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
> "
> turan-online.info. 824086 IN 
> TXT 
> "nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
> nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
> "
> turan-online.info. 824086 IN 
> TXT 
> "sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
> sssssssssssssssssssssssssssssssssssssssssssssssssss
> "
> 
> 
> And so on.
> 
> 2009-04-09 05:53:58.506 UTC+0200 is the start time here.
> 
> We're seeing about 8-9000 packets per second of the spoofed queries,
> so I can imagine the total pain is pretty reasonable.  Target:
> 
> AS      | IP               | AS Name
> 46844   | 67.21.67.126     | ST-BGP - SHARKTECH INTERNET SERVICES
> 
> You may want to check for flows from open/recursive resolvers which
> are adding to the attack.
> 
> Authoritative NS hosts for turan-online.info are:
> 
> AS      | IP               | AS Name
> 21448   | 195.69.95.204    | MWIL
> ==========================================
> 21448   | 195.69.95.114    | MWIL
> ==========================================
> 21448   | 195.69.95.112    | MWIL
> ==========================================
> 
> 
> Regards,
> 
> Scott A. McIntyre
> XS4ALL Internet
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com

More information about the nsp-security mailing list