[nsp-sec] UDP DDoS to PDNS1.ULTRADNS.NET and PDNS5.ULTRADNS.INFO
Joel Rosenblatt
joel at columbia.edu
Thu Jun 18 13:35:16 EDT 2009
Hi,
I have to agree, the hosts from AS14 are all name servers or smtp servers, and the biggest packet I see from that time period is 103 bytes, the majority are
78-83 bytes.
Thanks,
Joel Rosenblatt
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
--On Thursday, June 18, 2009 7:07 PM +0200 sthaug at nethelp.no wrote:
> ----------- nsp-security Confidential --------
>
>> Here is the actual full list:
>>
>> https://asn.cymru.com/nsp-sec/upload/1245339888.whois.txt
>>
>> time range was from 12:56 to 15:18 UTC.
>
> I believe you have some false positives in that list. One of the hosts
> from AS 2116, 193.75.110.78, is one of our main recursive name servers,
> and is definitely expected to send queries to the UltraDNS hosts.
>
> For the other host, 193.90.144.98, I have checked our Netflow records.
> As far as I can see, this host also was sending perfectly normal DNS
> queries to the UltraDNS hosts, UDP port 53, fairly small packets.
>
> Steinar Haug, AS 2116
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list