[nsp-sec] FW: Eircom issues

Sidney Faber sfaber at cert.org
Mon Jul 13 07:19:45 EDT 2009 

Anyone able to help out Eircom.net with this apparent DNS cache poison attack?

Thanks!
sid



______________
Sid Faber
Member of the Technical Staff
CERT Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org<mailto:sfaber at cert.org>

From: Owen Connolly [mailto:ojc at iriss.ie]
Sent: Monday, July 13, 2009 3:37 AM
To: Sidney Faber
Subject: Eircom issues

Hi Sid,

As per Brian's mail, I'm sending this on behalf of Eircom.net a national DNS here in Ireland.  They've been having ongoing DNS DDOS and Cache poisoning since the 1st of July.  They've managed to establish some patterns in the traffic and I've enclosed the details of those below.

Obviously where you guys can best help us is in reporting the Demandmedia situation. As the text below states, Eircom have reported the abuse to DemandMedia to no avail.  Any assistance you can provide would be fantastic.


Cheers,


ojc

--------------

Hi Owen



Further to the discussion on the conference call:



1.       Re the 2 Brazilian IP addresses associated with the incident:     200.202.193.74 and 200.222.0.35

The two 200.x.x.x addresses were actually not sending us any traffic, however there was a large amount of outgoing traffic to port 53 on these IPs from our DNS caches.  Our theory is that the attack was directing our caches to query these 200. IPs, but the attack was not actually coming from those IPs.



2.       We have identified and have raised an abuse report to "DemandMedia" who appear to be hosting a number of IP addresses which have been identified in the investigations.

The 'main' IP address of our concern is 69.64.147.243.    This is the IP address which poisoned records pointed to.



Also, the name servers our resolvers were tricked into asking:
98.124.192.1
98.124.197.1
98.124.193.1
69.64.145.225
98.124.196.1



All belong to demandmedia.com - see details below per www.arin.net<http://www.arin.net/> <http://www.arin.net<http://www.arin.net/>>  :



OrgName:    eNom, Incorporated

OrgID:      ENOM

Address:    15801 NE 24th Street

City:       Bellevue

StateProv:  WA

PostalCode: 98008

> > Country:    US

> >

> > NetRange:   69.64.144.0 - 69.64.159.255

> > CIDR:       69.64.144.0/20

> > OriginAS:   AS21740

> > NetName:    ENOM-BLOCK

> > NetHandle:  NET-69-64-144-0-1

> > Parent:     NET-69-0-0-0-0

> > NetType:    Direct Assignment

> > NameServer: HK1.NAME-SERVICES.COM

> > NameServer: HK2.NAME-SERVICES.COM

> > Comment:

> > RegDate:    2007-07-25

> > Updated:    2008-07-01

> >

> > RAbuseHandle: DEMAN-ARIN

> > RAbuseName:   DemandMedia NOC

> > RAbusePhone:  +1-425-274-4500

> > RAbuseEmail:  dmnoc at demandmedia.com<mailto:dmnoc at demandmedia.com> <mailto:dmnoc at demandmedia.com>

More information about the nsp-security mailing list