[nsp-sec] UDP DDoS to PDNS1.ULTRADNS.NET and PDNS5.ULTRADNS.INFO
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Thu Jun 18 13:26:32 EDT 2009
I examined all of our outbound flows first, and then checked the full
list against our Ips/ASNs.
Looks like we had ~67 Ips across ~38 ASNs make the list, but the flows
I've examined are DNS queries that don't match the attack traffic (as
described) and don't appear to be anomalous in volume.
I think your suspicions about spoofing are all but confirmed, Nick.
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Nicholas
Ianelli
Sent: Thursday, June 18, 2009 12:46 PM
To: NSP-SEC List
Subject: Re: [nsp-sec] UDP DDoS to PDNS1.ULTRADNS.NET and
PDNS5.ULTRADNS.INFO
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is the actual full list:
https://asn.cymru.com/nsp-sec/upload/1245339888.whois.txt
time range was from 12:56 to 15:18 UTC.
Nick
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
>
> Name: PDNS5.ULTRADNS.INFO
> Address: 204.74.114.1
>
> Name: PDNS1.ULTRADNS.NET
> Address: 204.74.108.1
>
> UDP traffic destined to ports 0-5119, majority of packets were of a
> size 1.15kbytes/packet
>
> This appears to be spoofed, still interested in what anyone can find.
> I've included a list of hosts seen participating in this attack. The
> data is valid from 1420 GMT to 1450 GMT on 2009.06.18
>
> Cheers,
> nick
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAko6b0EACgkQi10dJIBjZIBZwACdG5hlAKz0vpsq7+qBL760J5D3
w7MAnij/roW/FBUCaVnj51KueyyzxvEC
=TKQt
-----END PGP SIGNATURE-----
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list