[nsp-sec] DNS based DDoS attack - Got Flow to: 174.129.223.8 and 174.129.223.37

Dave Burke dave at amazon.com
Thu Apr 23 14:48:59 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

174.129/16 is Amazon-EC2, we are actively working on this all day (problems
with our mitigation fleet have bogged me down all day, so didn't get to send
out a mail).

I have PCAP's this morning from the attack, and it was 2.2M spoofed IP
addresses from 113.x.x.x , 132.x.x.x etc.

This morning's attack began at 07:37:26UTC and we're still seeing packet love
coming in via level3 at the moment.

Any help appreciated from us too :-)

dave

Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> Team,
> 
> I've just been made aware of another DNS based DDoS attack. The sources
> appear to be spoofed, but I'll work on getting source IPs to verify with.
> 
> Can you please check to see if you have traffic (port 53/UDP) to:
> 
> ns-1.name.com: 174.129.223.8
> ns-2.name.com: 174.129.223.37
> 
> As it stands now, I'm under the impression that the domain below is the
> only one pointing to the above two NS servers, so if you see traffic,
> pretty good indication it's malicious.
> 
> Domain being queried for: www.pai999.net
> 
> ;; ANSWER SECTION:
> www.pai999.net.         300     IN      A       112.213.97.201
> 
> 
> name.com has moved this off of their regular name servers, though their
> still may be some residual and I'm waiting for verification on that:
> 
> ns1.name.com - 174.129.223.247, 4.79.81.159
> ns2.name.com - 38.97.225.164, 38.97.225.183
> 
> 
> 
> Queries look like:
> 
> 10:56:32.385121 IP 120.87.201.46.15657 > 38.97.225.183.domain:  43583+
> ANY? www.pai999.net. (32)
>       0x0000:  4500 003c 633c 0000 7511 98d6 7857 c92e  E..<c<..u...xW..
>       0x0010:  2661 e1b7 3d29 0035 0028 94f6 aa3f 0100  &a..=).5.(...?..
>       0x0020:  0001 0000 0000 0000 0377 7777 0670 6169  .........www.pai
>       0x0030:  3939 3903 6e65 7400 00ff 0001            999.net.....
> 
> 10:56:32.385387 IP 202.76.73.75.16157 > 38.97.225.183.domain:  8334+
> ANY? www.pai999.net. (32)
>       0x0000:  4500 003c dc48 0000 7511 4db8 ca4c 494b  E..<.H..u.M..LIK
>       0x0010:  2661 e1b7 3f1d 0035 0028 4aa2 208e 0100  &a..?..5.(J.....
>       0x0020:  0001 0000 0000 0000 0377 7777 0670 6169  .........www.pai
>       0x0030:  3939 3903 6e65 7400 00ff 0001            999.net.....
> 
> Any assistance would be greatly appreciated, would love to track the C2
> down.
> 
> Cheers,
> Nick

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknwuBsACgkQvMJ1IGjTxcFAfQCgy85ofrjY2jLQ0V4ZRf1w0jLk
jAQAnj7L3gBNu0GVJTvLfqmFK1xpi63S
=Pb6L
-----END PGP SIGNATURE-----



Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list