[nsp-sec] DNS based DDoS attack - Got Flow to: 174.129.223.8 and 174.129.223.37
Nicholas Ianelli
ni at centergate.net
Thu Apr 23 14:28:39 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team,
I've just been made aware of another DNS based DDoS attack. The sources
appear to be spoofed, but I'll work on getting source IPs to verify with.
Can you please check to see if you have traffic (port 53/UDP) to:
ns-1.name.com: 174.129.223.8
ns-2.name.com: 174.129.223.37
As it stands now, I'm under the impression that the domain below is the
only one pointing to the above two NS servers, so if you see traffic,
pretty good indication it's malicious.
Domain being queried for: www.pai999.net
;; ANSWER SECTION:
www.pai999.net. 300 IN A 112.213.97.201
name.com has moved this off of their regular name servers, though their
still may be some residual and I'm waiting for verification on that:
ns1.name.com - 174.129.223.247, 4.79.81.159
ns2.name.com - 38.97.225.164, 38.97.225.183
Queries look like:
10:56:32.385121 IP 120.87.201.46.15657 > 38.97.225.183.domain: 43583+
ANY? www.pai999.net. (32)
0x0000: 4500 003c 633c 0000 7511 98d6 7857 c92e E..<c<..u...xW..
0x0010: 2661 e1b7 3d29 0035 0028 94f6 aa3f 0100 &a..=).5.(...?..
0x0020: 0001 0000 0000 0000 0377 7777 0670 6169 .........www.pai
0x0030: 3939 3903 6e65 7400 00ff 0001 999.net.....
10:56:32.385387 IP 202.76.73.75.16157 > 38.97.225.183.domain: 8334+
ANY? www.pai999.net. (32)
0x0000: 4500 003c dc48 0000 7511 4db8 ca4c 494b E..<.H..u.M..LIK
0x0010: 2661 e1b7 3f1d 0035 0028 4aa2 208e 0100 &a..?..5.(J.....
0x0020: 0001 0000 0000 0000 0377 7777 0670 6169 .........www.pai
0x0030: 3939 3903 6e65 7400 00ff 0001 999.net.....
Any assistance would be greatly appreciated, would love to track the C2
down.
Cheers,
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEUEARECAAYFAknws1cACgkQi10dJIBjZICHcwCeM59mXRaNm9EyXQz3xdKMwlz7
S5MAmJcaPt5xKrMxUsjCRodqdG9XNDk=
=m1jm
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list