[nsp-sec] (N)ACK 217 Re: UDP DDoS to PDNS1.ULTRADNS.NET and PDNS5.ULTRADNS.INFO
Brian Eckman
eckman at umn.edu
Mon Jun 22 11:51:30 EDT 2009
The one host listed in AS 217 didn't appear to be attacking. It sent
less than 100 packets to those servers between 12:55 - 15:19 UTC on the
18th, and none of the queries nor responses were anywhere close to a KB.
The number of packets sent & received are almost identical.
Looking deeper, it looks like no hosts on our network sent anything over
125 bytes per packet to the servers listed during that time.
Brian
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Here is the actual full list:
>
> https://asn.cymru.com/nsp-sec/upload/1245339888.whois.txt
>
> time range was from 12:56 to 15:18 UTC.
>
> Nick
>
> Nicholas Ianelli wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>> Name: PDNS5.ULTRADNS.INFO
>> Address: 204.74.114.1
>>
>> Name: PDNS1.ULTRADNS.NET
>> Address: 204.74.108.1
>>
>> UDP traffic destined to ports 0-5119, majority of packets were of a size
>> 1.15kbytes/packet
>>
>> This appears to be spoofed, still interested in what anyone can find.
>> I've included a list of hosts seen participating in this attack. The
>> data is valid from 1420 GMT to 1450 GMT on 2009.06.18
>>
>> Cheers,
>> nick
>>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> - --
> Nicholas Ianelli: NeuStar, Inc.
> Security Operations
>
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAko6b0EACgkQi10dJIBjZIBZwACdG5hlAKz0vpsq7+qBL760J5D3
> w7MAnij/roW/FBUCaVnj51KueyyzxvEC
> =TKQt
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list