[nsp-sec] DDoS to EveryDNS nameserver IPs
Stephen Gill
gillsr at cymru.com
Wed Feb 4 16:55:07 EST 2009
Hey David,
Any chance you have a list of the heaviest hitters?
-- steve
On 2/4/09 2:24 PM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> ----------- nsp-security Confidential --------
>
> It looks like it is not spoofed as the ips I see are all consistently coming
> in the same interface.
> Here is a list of IP addresses I saw sending you 1028 octet packets (packet
> header added to 1k).
> Two of the 4 I saw were coming from .edu sites.
>
> Count IP
> 260 130.160.225.110
> 26 96.33.80.213
> 18 129.59.102.187
> 6 97.81.204.26
> 1 129.59.64.240
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> David Ulevitch
>> Sent: Wednesday, February 04, 2009 11:40 AM
>> To: nsp-security at puck.nether.net
>> Subject: [nsp-sec] DDoS to EveryDNS nameserver IPs
>>
>> ----------- nsp-security Confidential --------
>>
>> I'm currently receiving a large DDoS to all my EveryDNS
>> nameserver IPs:
>>
>> ns1.everydns.net has address 208.76.56.56
>> ns2.everydns.net has address 78.129.207.168
>> ns3.everydns.net has address 71.6.202.220
>> ns4.everydns.net has address 208.96.6.134
>>
>> The DDoS appears to all be UDP packets of length 1000 bytes.
>>
>> Here's what I mean:
>>
>> 01:39:20.107917 IP 115.186.96.138.58798 > 208.76.56.56.2194: UDP,
>> length 1000
>> 01:39:20.107959 IP 82.212.143.159.2270 > 208.76.56.56.4000: UDP,
>> length 1000
>> 01:39:20.107969 IP 187.10.195.160.60001 > 208.76.56.56.2105: UDP,
>> length 1000
>> 01:39:20.107986 IP 189.119.47.137.25664 > 208.76.56.56.908: UDP,
>> length 1000
>> 01:39:20.107991 IP 213.189.175.47.3732 > 208.76.56.56.3804: UDP,
>> length 1000
>> 01:39:20.108012 IP 202.41.85.244.22349 > 208.76.56.56.3119: UDP,
>> length 1000
>> 01:39:20.108089 IP 89.174.93.234.4675 > 208.76.56.56.3589:
>> UDP, length
>> 1000
>>
>> Anyone know what this looks like or anything I can do to stop it...
>>
>> 3 of the 4 nameservers are offline right now, and I'm working with
>> some folks to bring up some more machines now. Ironically,
>> I'm at the
>> ICANN DNS meeting at GATech right now with a bunch of you. :-)
>>
>> Thanks,
>> David Ulevitch
>> 415 971 6916
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list