[nsp-sec] Got traffic? - DDoS
Nicholas Ianelli
ni at centergate.net
Thu Jul 16 11:38:20 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks John! Still working on processing the pcaps, but we are
experiencing a DDoS against a few of our name servers, a large number of
hosts are making a ton of MX queries for a variety of domains.
What it looks like is a legitimate domain, but they tack on a few extra
characters to provide some extra load.
This is mainly affecting our Europe locations.
In my last email to the list, I posted the top 25 sources from a quick
capture.
Looks like the attack is slowly subsiding. I'll post more details shortly.
Nick
John Fraizer wrote:
> Summary: total flows: 149, total bytes: 18174, total packets: 153, avg bps: 415, avg pps: 0, avg bpp: 118
> Time window: 2009-07-16 15:11:27 - 2009-07-16 16:07:21
>
> That is at 1:100 sample rate.
>
>
> It's all UDP destined to port 53 on your end with a tiny bit of ICMP DST
> UNREACH coming from address space on my network back towards your
> targets. Leads me to believe that there might be some adjacent-block
> spoofing going on.
>
> John
>
> On Thu, Jul 16, 2009 at 2:44 PM, Nicholas Ianelli <ni at centergate.net
> <mailto:ni at centergate.net>> wrote:
>
> ----------- nsp-security Confidential --------
>
>
> Are folks seeing lots of requests destined to any of these IP addresses
> (UDP based):
>
> 156.154.100.3
> 156.154.101.3
> 156.154.102.3
> 156.154.103.3
>
> Nick
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net <mailto:nsp-security at puck.nether.net>
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet
security counter-measures.
_______________________________________________
- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkpfSWwACgkQi10dJIBjZIDlTwCfVkIjin3ju9JlmB4emO1NIUoI
g2QAoNFwIE+NwzrVckLw2YPRKfD5uIaH
=cKmH
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list