[nsp-sec] DDoS to EveryDNS nameserver IPs

Smith, Donald Donald.Smith at qwest.com
Wed Feb 4 16:24:23 EST 2009 

It looks like it is not spoofed as the ips I see are all consistently coming in the same interface.
Here is a list of IP addresses I saw sending you 1028 octet packets (packet header added to 1k).
Two of the 4 I saw were coming from .edu sites.

Count IP
260 130.160.225.110
 26 96.33.80.213
 18 129.59.102.187
  6 97.81.204.26
  1 129.59.64.240

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> David Ulevitch
> Sent: Wednesday, February 04, 2009 11:40 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] DDoS to EveryDNS nameserver IPs
> 
> ----------- nsp-security Confidential --------
> 
> I'm currently receiving a large DDoS to all my EveryDNS 
> nameserver IPs:
> 
> ns1.everydns.net has address 208.76.56.56
> ns2.everydns.net has address 78.129.207.168
> ns3.everydns.net has address 71.6.202.220
> ns4.everydns.net has address 208.96.6.134
> 
> The DDoS appears to all be UDP packets of length 1000 bytes.
> 
> Here's what I mean:
> 
> 01:39:20.107917 IP 115.186.96.138.58798 > 208.76.56.56.2194: UDP,  
> length 1000
> 01:39:20.107959 IP 82.212.143.159.2270 > 208.76.56.56.4000: UDP,  
> length 1000
> 01:39:20.107969 IP 187.10.195.160.60001 > 208.76.56.56.2105: UDP,  
> length 1000
> 01:39:20.107986 IP 189.119.47.137.25664 > 208.76.56.56.908: UDP,  
> length 1000
> 01:39:20.107991 IP 213.189.175.47.3732 > 208.76.56.56.3804: UDP,  
> length 1000
> 01:39:20.108012 IP 202.41.85.244.22349 > 208.76.56.56.3119: UDP,  
> length 1000
> 01:39:20.108089 IP 89.174.93.234.4675 > 208.76.56.56.3589: 
> UDP, length  
> 1000
> 
> Anyone know what this looks like or anything I can do to stop it...
> 
> 3 of the 4 nameservers are offline right now, and I'm working with  
> some folks to bring up some more machines now.  Ironically, 
> I'm at the  
> ICANN DNS meeting at GATech right now with a bunch of you. :-)
> 
> Thanks,
> David Ulevitch
> 415 971 6916
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list