[nsp-sec] Univ of Lausanne?

Paul Goyette pgoyette at juniper.net
Thu Apr 23 16:32:09 EDT 2009 

Anyone got security contacts for Univ of Lausanne?  Are they
on this list?

Paul Goyette
Juniper Networks Customer Service
JTAC Senior Escalation Engineer
Juniper Security Incident Response Team
PGP Key ID 0x53BA7731 Fingerprint:
  FA29 0E3B 35AF E8AE 6651
  0786 F758 55DE 53BA 7731 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Morrow
> Sent: Thursday, April 23, 2009 1:04 PM
> To: Nicholas Ianelli
> Cc: 'nsp-security NSP'
> Subject: Re: [nsp-sec] DNS based DDoS attack - Got Flow to: 
> 174.129.223.8 and 174.129.223.37
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> On Thu, 23 Apr 2009, Nicholas Ianelli wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Team,
> >
> > I've just been made aware of another DNS based DDoS attack. 
> The sources
> > appear to be spoofed, but I'll work on getting source IPs 
> to verify with.
> >
> > Can you please check to see if you have traffic (port 53/UDP) to:
> >
> > ns-1.name.com: 174.129.223.8
> > ns-2.name.com: 174.129.223.37
> 
> amazonaws hosts??
> 
> bfk thinks:
> ns-2.name.com	 A 	174.129.223.37
> ns3.name.com	 A 	174.129.223.37
> ns3.domainsite.com	 A 	174.129.223.37
> 37.223.129.174.in-addr.arpa	 PTR 
> ec2-174-129-223-37.compute-1.amazonaws.com
> ns3.name.net	 A 	174.129.223.37
> 
> ns-1.name.com	 A 	174.129.223.8
> ns3.name.com	 A 	174.129.223.8
> ns3.domainsite.com	 A 	174.129.223.8
> ec2-174-129-223-8.compute-1.amazonaws.com	 A 	174.129.223.8
> 8.223.129.174.in-addr.arpa	 PTR 
> ec2-174-129-223-8.compute-1.amazonaws.com
> ns3.name.net	 A 	174.129.223.8
> 
> keno8868.com	 NS 	ns-1.name.com
> ns-1.name.com	 A 	174.129.223.8
> index-easy.com	 NS 	ns-1.name.com
> pai999.net	 NS 	ns-1.name.com
> keno8868.com	 NS 	ns-2.name.com
> ns-2.name.com	 A 	174.129.223.37
> index-easy.com	 NS 	ns-2.name.com
> pai999.net	 NS 	ns-2.name.com
> 
> Did someone move their DDoS target to a 'cheaper' location maybe?
> 
> > As it stands now, I'm under the impression that the domain 
> below is the
> > only one pointing to the above two NS servers, so if you 
> see traffic,
> > pretty good indication it's malicious.
> >
> > Domain being queried for: www.pai999.net
> >
> > ;; ANSWER SECTION:
> > www.pai999.net.         300     IN      A       112.213.97.201
> >
> >
> > name.com has moved this off of their regular name servers, 
> though their
> > still may be some residual and I'm waiting for verification on that:
> >
> > ns1.name.com - 174.129.223.247, 4.79.81.159
> > ns2.name.com - 38.97.225.164, 38.97.225.183
> >
> 
> ah :)
> 
> -Chris
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list