[nsp-sec] DNS based DDoS attack - Got Flow to: 174.129.223.8 and 174.129.223.37

[Chris Morrow]

On Thu, 23 Apr 2009, Nicholas Ianelli wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Team,
>
> I've just been made aware of another DNS based DDoS attack. The sources
> appear to be spoofed, but I'll work on getting source IPs to verify with.
>
> Can you please check to see if you have traffic (port 53/UDP) to:
>
> ns-1.name.com: 174.129.223.8
> ns-2.name.com: 174.129.223.37

amazonaws hosts??

bfk thinks:
ns-2.name.com	 A 	174.129.223.37
ns3.name.com	 A 	174.129.223.37
ns3.domainsite.com	 A 	174.129.223.37
37.223.129.174.in-addr.arpa	 PTR 
ec2-174-129-223-37.compute-1.amazonaws.com
ns3.name.net	 A 	174.129.223.37

ns-1.name.com	 A 	174.129.223.8
ns3.name.com	 A 	174.129.223.8
ns3.domainsite.com	 A 	174.129.223.8
ec2-174-129-223-8.compute-1.amazonaws.com	 A 	174.129.223.8
8.223.129.174.in-addr.arpa	 PTR 
ec2-174-129-223-8.compute-1.amazonaws.com
ns3.name.net	 A 	174.129.223.8

keno8868.com	 NS 	ns-1.name.com
ns-1.name.com	 A 	174.129.223.8
index-easy.com	 NS 	ns-1.name.com
pai999.net	 NS 	ns-1.name.com
keno8868.com	 NS 	ns-2.name.com
ns-2.name.com	 A 	174.129.223.37
index-easy.com	 NS 	ns-2.name.com
pai999.net	 NS 	ns-2.name.com

Did someone move their DDoS target to a 'cheaper' location maybe?

> As it stands now, I'm under the impression that the domain below is the
> only one pointing to the above two NS servers, so if you see traffic,
> pretty good indication it's malicious.
>
> Domain being queried for: www.pai999.net
>
> ;; ANSWER SECTION:
> www.pai999.net.         300     IN      A       112.213.97.201
>
>
> name.com has moved this off of their regular name servers, though their
> still may be some residual and I'm waiting for verification on that:
>
> ns1.name.com - 174.129.223.247, 4.79.81.159
> ns2.name.com - 38.97.225.164, 38.97.225.183
>

ah :)

-Chris