[nsp-sec] Univ of Lausanne?
Rolf Gartmann
rolf.gartmann at switch.ch
Fri Apr 24 02:20:08 EDT 2009
Hi Paul,
that would be the CERT for AS559:
cert at switch.ch ;)
hth,
cheers
Rolf
from the fingers of Paul Goyette on 23.4.2009 22:32 Uhr:
> ----------- nsp-security Confidential --------
>
> Anyone got security contacts for Univ of Lausanne? Are they
> on this list?
>
> Paul Goyette
> Juniper Networks Customer Service
> JTAC Senior Escalation Engineer
> Juniper Security Incident Response Team
> PGP Key ID 0x53BA7731 Fingerprint:
> FA29 0E3B 35AF E8AE 6651
> 0786 F758 55DE 53BA 7731
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Chris Morrow
>> Sent: Thursday, April 23, 2009 1:04 PM
>> To: Nicholas Ianelli
>> Cc: 'nsp-security NSP'
>> Subject: Re: [nsp-sec] DNS based DDoS attack - Got Flow to:
>> 174.129.223.8 and 174.129.223.37
>>
>> ----------- nsp-security Confidential --------
>>
>>
>>
>> On Thu, 23 Apr 2009, Nicholas Ianelli wrote:
>>
>> > ----------- nsp-security Confidential --------
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Team,
>> >
>> > I've just been made aware of another DNS based DDoS attack.
>> The sources
>> > appear to be spoofed, but I'll work on getting source IPs
>> to verify with.
>> >
>> > Can you please check to see if you have traffic (port 53/UDP) to:
>> >
>> > ns-1.name.com: 174.129.223.8
>> > ns-2.name.com: 174.129.223.37
>>
>> amazonaws hosts??
>>
>> bfk thinks:
>> ns-2.name.com A 174.129.223.37
>> ns3.name.com A 174.129.223.37
>> ns3.domainsite.com A 174.129.223.37
>> 37.223.129.174.in-addr.arpa PTR
>> ec2-174-129-223-37.compute-1.amazonaws.com
>> ns3.name.net A 174.129.223.37
>>
>> ns-1.name.com A 174.129.223.8
>> ns3.name.com A 174.129.223.8
>> ns3.domainsite.com A 174.129.223.8
>> ec2-174-129-223-8.compute-1.amazonaws.com A 174.129.223.8
>> 8.223.129.174.in-addr.arpa PTR
>> ec2-174-129-223-8.compute-1.amazonaws.com
>> ns3.name.net A 174.129.223.8
>>
>> keno8868.com NS ns-1.name.com
>> ns-1.name.com A 174.129.223.8
>> index-easy.com NS ns-1.name.com
>> pai999.net NS ns-1.name.com
>> keno8868.com NS ns-2.name.com
>> ns-2.name.com A 174.129.223.37
>> index-easy.com NS ns-2.name.com
>> pai999.net NS ns-2.name.com
>>
>> Did someone move their DDoS target to a 'cheaper' location maybe?
>>
>> > As it stands now, I'm under the impression that the domain
>> below is the
>> > only one pointing to the above two NS servers, so if you
>> see traffic,
>> > pretty good indication it's malicious.
>> >
>> > Domain being queried for: www.pai999.net
>> >
>> > ;; ANSWER SECTION:
>> > www.pai999.net. 300 IN A 112.213.97.201
>> >
>> >
>> > name.com has moved this off of their regular name servers,
>> though their
>> > still may be some residual and I'm waiting for verification on that:
>> >
>> > ns1.name.com - 174.129.223.247, 4.79.81.159
>> > ns2.name.com - 38.97.225.164, 38.97.225.183
>> >
>>
>> ah :)
>>
>> -Chris
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
SWITCH
Serving Swiss Universities
--------------------------
Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
http://www.switch.ch/cert/
More information about the nsp-security
mailing list