[nsp-sec] DNS amplification attack to 213.171.220.101
White, Gerard
Gerard.White at aliant.ca
Mon Feb 16 06:25:31 EST 2009
Yup. For practically every DNS speaking device I can find here, there's
a continuous
type 16 (Text Strings) Query for "johnmadness.com"... Query ID's are
unique and random.
oddly enough there's an additional record present in the queries - a
Type 41 (Option)
(Class 65535).
Each device here is getting about 7-8 Queries per second...
Do they want these /32's NULLed?
GW
855 - Bell Aliant
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Scott A.
McIntyre
Sent: Monday, February 16, 2009 7:11 AM
To: NSP nsp-security
Subject: [nsp-sec] DNS amplification attack to 213.171.220.101
----------- nsp-security Confidential --------
Hi teams,
213.171.220.101 and likely 213.171.223.133 are coming under a 20Gig/s
UDP flood at the moment, the result of what appears to be a DNS
amplification attack.
Capturing some packets here, I see:
11:16:27.128867 IP x > 213.171.220.101.41311: 24481 13/3/1 TXT
"hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhh
", TXT
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
iiiiiiiiiiiiiiiiiiiiiiiiiiiii
", TXT
"jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
", TXT
"kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
", TXT
"lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
llllllllllllllllllllllllllllll
", TXT[|domain]
Elsewhere in the packets, I see:
0x0000: 4500 05dc 4de5 2000 3e11 e7ce d4ee 9a5d
E...M...>......]
0x0010: d5ab dc65 0035 a15f 0d82 b445 5fa1 8180
...e.5._...E_...
0x0020: 0001 000d 0003 0001 0b6a 6f68 6e6d 6164
.........johnmad
0x0030: 6e65 7373 0363 6f6d 0000 1000 01c0 0c00
ness.com........
0x0040: 1000 0100 0058 6c00 f5f4 6868 6868 6868
.....Xl...hhhhhh
0x0050: 6868 6868 6868 6868 6868 6868 6868 6868
hhhhhhhhhhhhhhhh
0x0060: 6868 6868 6868 6868 6868 6868 6868 6868
hhhhhhhhhhhhhhhh
[ snip ]
So johnmadness.com may well be what's triggering the TXTs.
Others may want to see if they're contributing to the packet love.
Regards,
Scott A. McIntyre
XS4ALL Internet B.V.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list