[nsp-sec] namespace4u.de
Florian Weimer
fweimer at bfk.de
Fri Mar 27 12:46:46 EDT 2009
* John Fraizer:
> Yes. It was most certainly random. It could be a Kaminsky-style attack
> though. Here is an example from a snoop on one of our customer-facing
> caching nameservers:
>
> $ /usr/sbin/snoop -i 0326091400.cap | grep namespace
> 2 0.00055 cns03.olvemo01.sys.nuvox.net -> 193.223.77.3 DNS C
> ovqkaxdNZgEGl.namespace4you.de. Internet * ?
namespace4you or namespace4u?
The former makes much more sense.
> Some research showed that queries directed at the WAN IP of the CPE
> would be reflected by the CPE to our caching nameservers.
So it's just a reflective attack against namespace4you.de/Fourty Six
Media. They appear to be filtering queries to everything under
namespace4you.de (except ns and ns2).
I suppose these attacks can be quite difficult to deal with. 8-(
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list