[nsp-sec] DDoS against 204.69.234.1/204.74.101.1

Keith Schoenefeld schoenk at illinois.edu
Tue Apr 14 22:58:01 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't have the ability to look at DNS logs at the moment (we don't
capture them), but flow logs inidicate 142 flows in the last five
minutes to 204.69.234.1 and  (all appear to be from legitimate DNS
servers on campus), and 1446 flows in the last five minutes to
204.74.101.1 (again, all appear to be from legitimate DNS servers on
campus).

- -- KS

Rodney Joffe wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Guys,
> 
> We're having some issues at the moment, like this...
> 
> 01:58:31.528866 IP 96.229.37.175.50264 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529003 IP 203.179.88.62.61411 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529174 IP 118.68.157.93.20580 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529182 IP 115.103.3.197.15970 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529239 IP 76.202.116.91.1535 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529889 IP 68.181.227.97.3180 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.529922 IP 222.254.123.1.35037 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 01:58:31.530031 IP 68.181.227.97.3182 > 204.69.234.1.domain:  54817+ A?
> www.yishengbo.com. (35)
> 
> We're filtering, but it would be very helpful if you could look for the
> botnet and C&C, and nail it.
> 
> Thanks
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________


- --
Keith Schoenefeld
Network Security Officer
Office of Privacy and Information Assurance
University of Illinois
(217) 333-4332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknlTTkACgkQdQwgufanQJqRYQCeNcK3Tq4Yh9UMjkUJhhrZdqcU
bG0AoIzWjtoldCSvGWBjNspFEwvFhZjP
=iznh
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list