[nsp-sec] TWC dns issues?

Jim Carhart jcarhart at security.rr.com
Wed Mar 4 15:09:59 EST 2009 

Anybody know a network security contact with plaync.com, on-line play
presence for NC Soft publishers of City of Heroes MMORPG?

Looks like (and I'm taking responsibility on Time Warner Cables' part)
TWC is propagating a intermittent DNS Amplification Attack without
Recursion (Vaughn/Gadi) against plaync.com from TWC Los Angeles
Divisional DNS servers.

Any contacts with plaync.com/ncsoft.com or upstream would be greatly
appreciated to see if they are experiencing the same flows we are seeing.

- Jim


Mike Lewinski wrote:
> ----------- nsp-security Confidential --------
> 
> Perhaps these issues are all unrelated, but my spider sense is starting
> to tingle...
> 
> 
> 1) Last week we had a customer start complaining about periodic timeouts
> on one of our resolvers. I'm still investigating it, but it seems to
> have resolved itself without any changes here. What is really strange is
> that in my packet captures I can see BIND do the full recursion that is
> requested, but it simply never sends a reply back to the customer's
> original query while answering other queries at the same time without a
> problem (and they are using a nagios test to lookup their own www A
> record).
> 
> 2) Yesterday another customer discovered his own resolver cache was
> poisoned, and his access to some web sites was being proxied through
> vipertheripper.com
> 
> 3) This morning Comcast DNS in Denver was positively glacial. I've never
> had such laggy responses from them. At first I thought the whole
> connection might be down, but I had some already established connections
> that were still working. Once I started routing DNS back through my VPN
> everything worked fine again.
> 
> 4) And now I've just read this:
> http://arstechnica.com/security/news/2009/02/time-warner-cable-blames-ddos-attack-for-spotty-service.ars
> 
> 
> Mike
> 
> 

-- 
 ======================================================================
 Jim Carhart                                  james.carhart at twcable.com
 Director of Security                               Voice: 703.345.3192
 TWC Road Runner LLC                                 Cell: 571.236.7668
 ======================================================================

More information about the nsp-security mailing list