[nsp-sec] DDoS against 204.69.234.1/204.74.101.1

Mike Lewinski mike at rockynet.com
Tue Apr 14 22:36:26 EDT 2009 

Rob Thomas wrote:

> Queries running now.  Got a full(er) list of sources?  Likely spoofed or no?

Pretty sure it's spoofed. I'm definitely seeing backscatter here. It 
looks like:

20:26:13.233527 204.74.101.1.53 > 206.168.189.6.37289: 62889*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:26:13.446322 204.74.101.1.53 > 206.168.189.19.40617: 682*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:26:13.552560 204.74.101.1.53 > 206.168.189.27.42665: 2730*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:26:13.711742 204.74.101.1.53 > 206.168.189.36.44969: 5034*- 1/3/0 A 
72.52.5.60 (117) (DF)
...
20:27:05.822430 204.74.101.1.53 > 206.168.96.17.16297: 41897*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:27:05.838317 204.74.101.1.53 > 206.168.96.18.16553: 42153*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:27:05.851197 204.74.101.1.53 > 206.168.96.19.16809: 42409*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:27:06.006867 204.74.101.1.53 > 206.168.96.29.19369: 44969*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:27:06.039518 204.74.101.1.53 > 206.168.96.31.19881: 45481*- 1/3/0 A 
72.52.5.60 (117) (DF)
...
20:32:29.549880 204.74.101.1.53 > 208.139.194.118.2189: 27789*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:29.679985 204.74.101.1.53 > 208.139.194.126.4237: 29837*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:29.828972 204.74.101.1.53 > 208.139.194.135.6541: 32141*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:29.856930 204.74.101.1.53 > 208.139.194.137.7053: 32653*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:29.933713 204.74.101.1.53 > 208.139.194.142.8333: 33933*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:30.018691 204.74.101.1.53 > 208.139.194.147.9613: 35213*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:30.044152 204.74.101.1.53 > 208.139.194.149.10125: 35725*- 1/3/0 A 
72.52.5.60 (117) (DF)
20:32:30.132352 204.74.101.1.53 > 208.139.194.152.10893: 36493*- 1/3/0 A 
72.52.5.60 (117) (DF)

I believe that we're getting at least one response per IP, but for a 
couple of reasons I can't capture them all.

I do NOT see any outbound queries that match your signature. But then 
we're doing BCP38 so if the attack is only spoofed sources we wouldn't 
ever see it exiting our network because it wouldn't :)

Mike

More information about the nsp-security mailing list