[nsp-sec] DNS based DDoS attack - Got Flow to: 174.129.223.8 and 174.129.223.37

Nicholas Ianelli ni at centergate.net
Thu Apr 23 15:43:41 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

Correct me if I'm wrong, but at this time, there doesn't appear to be a
shift in the attack vector towards these two hosts:

ns-1.name.com: 174.129.223.8
ns-2.name.com: 174.129.223.37

The DDoS traffic is still hitting:

ns1.name.com - 174.129.223.247, 4.79.81.159
ns2.name.com - 38.97.225.164, 38.97.225.183

ns3.name.com - 174.129.245.204, 174.129.246.33, 4.79.81.160, 79.125.9.95
174.129.208.119, 174.129.219.85, 174.129.223.249

ns4.name.com - 174.129.209.94, 174.129.209.102

Which, unless people can look at the actual traffic, not sure what can
really be done until the traffic hits ns-1 and ns-2

Nick

Dave Burke wrote:
> Hi,
> 
> 174.129/16 is Amazon-EC2, we are actively working on this all day (problems
> with our mitigation fleet have bogged me down all day, so didn't get to send
> out a mail).
> 
> I have PCAP's this morning from the attack, and it was 2.2M spoofed IP
> addresses from 113.x.x.x , 132.x.x.x etc.
> 
> This morning's attack began at 07:37:26UTC and we're still seeing packet love
> coming in via level3 at the moment.
> 
> Any help appreciated from us too :-)
> 
> dave
> 
> Nicholas Ianelli wrote:
>> ----------- nsp-security Confidential --------
> 
>> Team,
> 
>> I've just been made aware of another DNS based DDoS attack. The sources
>> appear to be spoofed, but I'll work on getting source IPs to verify with.
> 
>> Can you please check to see if you have traffic (port 53/UDP) to:
> 
>> ns-1.name.com: 174.129.223.8
>> ns-2.name.com: 174.129.223.37
> 
>> As it stands now, I'm under the impression that the domain below is the
>> only one pointing to the above two NS servers, so if you see traffic,
>> pretty good indication it's malicious.
> 
>> Domain being queried for: www.pai999.net
> 
>> ;; ANSWER SECTION:
>> www.pai999.net.         300     IN      A       112.213.97.201
> 
> 
>> name.com has moved this off of their regular name servers, though their
>> still may be some residual and I'm waiting for verification on that:
> 
>> ns1.name.com - 174.129.223.247, 4.79.81.159
>> ns2.name.com - 38.97.225.164, 38.97.225.183
> 
> 
> 
>> Queries look like:
> 
>> 10:56:32.385121 IP 120.87.201.46.15657 > 38.97.225.183.domain:  43583+
>> ANY? www.pai999.net. (32)
>>       0x0000:  4500 003c 633c 0000 7511 98d6 7857 c92e  E..<c<..u...xW..
>>       0x0010:  2661 e1b7 3d29 0035 0028 94f6 aa3f 0100  &a..=).5.(...?..
>>       0x0020:  0001 0000 0000 0000 0377 7777 0670 6169  .........www.pai
>>       0x0030:  3939 3903 6e65 7400 00ff 0001            999.net.....
> 
>> 10:56:32.385387 IP 202.76.73.75.16157 > 38.97.225.183.domain:  8334+
>> ANY? www.pai999.net. (32)
>>       0x0000:  4500 003c dc48 0000 7511 4db8 ca4c 494b  E..<.H..u.M..LIK
>>       0x0010:  2661 e1b7 3f1d 0035 0028 4aa2 208e 0100  &a..?..5.(J.....
>>       0x0020:  0001 0000 0000 0000 0377 7777 0670 6169  .........www.pai
>>       0x0030:  3939 3903 6e65 7400 00ff 0001            999.net.....
> 
>> Any assistance would be greatly appreciated, would love to track the C2
>> down.
> 
>> Cheers,
>> Nick
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

Amazon Data Services Ireland Limited registered office: Riverside One,
Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland.
Registration number 390566.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknwxO0ACgkQi10dJIBjZIAXOgCg6bKmn7MAoqUuZEg/dzXGv94L
KDUAoJTaDC14+QohG2lvMjWDu3VaYnFX
=a8sW
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list