[nsp-sec] DNS amplification attack to 213.171.220.101

Scott A. McIntyre scott at xs4all.net
Mon Feb 16 05:40:57 EST 2009 

Hi teams,

213.171.220.101 and likely 213.171.223.133 are coming under a 20Gig/s  
UDP flood at the moment, the result of what appears to be a DNS  
amplification attack.

Capturing some packets here, I see:

11:16:27.128867 IP x > 213.171.220.101.41311:  24481 13/3/1 TXT  
"hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh 
", TXT  
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 
", TXT  
"jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj 
", TXT  
"kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 
", TXT  
"lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll 
", TXT[|domain]


Elsewhere in the packets, I see:


	0x0000:  4500 05dc 4de5 2000 3e11 e7ce d4ee 9a5d  E...M...>......]
	0x0010:  d5ab dc65 0035 a15f 0d82 b445 5fa1 8180  ...e.5._...E_...
	0x0020:  0001 000d 0003 0001 0b6a 6f68 6e6d 6164  .........johnmad
	0x0030:  6e65 7373 0363 6f6d 0000 1000 01c0 0c00  ness.com........
	0x0040:  1000 0100 0058 6c00 f5f4 6868 6868 6868  .....Xl...hhhhhh
	0x0050:  6868 6868 6868 6868 6868 6868 6868 6868  hhhhhhhhhhhhhhhh
	0x0060:  6868 6868 6868 6868 6868 6868 6868 6868  hhhhhhhhhhhhhhhh

[ snip ]

So johnmadness.com may well be what's triggering the TXTs.

Others may want to see if they're contributing to the packet love.

Regards,

Scott A. McIntyre
XS4ALL Internet B.V.

More information about the nsp-security mailing list