[nsp-sec] UDP DDoS to PDNS1.ULTRADNS.NET and PDNS5.ULTRADNS.INFO

Nicholas Ianelli ni at centergate.net
Thu Jun 18 14:03:44 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alright, so it seems we have a consensus here, spoofed UDP packets. I'm
sorry for the fire alarm, but I do appreciate everyone looking.

If folks notice UDP traffic destined to these two hosts that is not port
53, I'd love to hear about it:

Name:    PDNS5.ULTRADNS.INFO
Address:  204.74.114.1

Name:    PDNS1.ULTRADNS.NET
Address:  204.74.108.1

Cheers,
Nick


Krista Hickey wrote:
> ----------- nsp-security Confidential --------
> 
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of sthaug at nethelp.no
>> Sent: Thursday, June 18, 2009 1:13 PM
>> To: ni at centergate.net
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] UDP DDoS to PDNS1.ULTRADNS.NET and
>> PDNS5.ULTRADNS.INFO
>>
>> ----------- nsp-security Confidential --------
>>
>>>> Here is the actual full list:
>>>>
>>>> https://asn.cymru.com/nsp-sec/upload/1245339888.whois.txt
>>>>
>>>> time range was from 12:56 to 15:18 UTC.
>>> I believe you have some false positives in that list. One of the
> hosts
>>> from AS 2116, 193.75.110.78, is one of our main recursive name
> servers,
>>> and is definitely expected to send queries to the UltraDNS hosts.
>> Oh yeah, the same applies to the 194.19.2.10 host from AS 3307.
>>
>> Steinar Haug, AS 2116
>>
> 
> Me too, the following are DNS servers our customer's use,
> 
> 7992    | 24.226.1.93      | COGECOWAVE - Cogeco Cable
> 7992    | 24.226.10.194    | COGECOWAVE - Cogeco Cable
> 
> The other two listings are for commercial customers that run their own
> DNS servers and we haven't had issues with before so....
> 
> Krista
> 7992
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAko6gYAACgkQi10dJIBjZIALJACfY15+kOe1wYvVYL+GXae/LqDG
GXgAnijc3vmsO1kIoHUCtBLguByCF8TV
=mW4/
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list