[nsp-sec] DNS Flood to Ultra
Nicholas Ianelli
ni at centergate.net
Tue Mar 31 10:48:28 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A subset of the attacking IPs can be located at the following URL:
https://asn.cymru.com/nsp-sec/upload/1238509380.whois.txt
~3k IPs from 4 to 6am ET on 2009.03.31
ASNs with the largest amount of contributors:
19 6306
21 16338
22 13999
22 9121
24 7132
25 6057
26 6739
27 12715
29 3215
29 8167
30 6389
32 6147
34 3269
34 9737
35 7738
36 7418
38 12357
40 19262
41 6400
49 21826
49 6332
86 22927
142 7303
213 8048
374 3352
450 8151
Nick
Fouant, Stefan wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> Our Ultra sites have been coming under a UDP DNS flood for several hours
> sustaining several hundred Mbps from what appears to be a large botnet,
> generating queries for silverdollar.com and gocasino.com. Looks like a
> dictionary attack. We're currently filtering it right and able to
> sustain business operations as usual, but the attack continues.
> Wondering if any of you can take a look at any of the botnets and find
> out who might be behind this.
>
> The ranges under attack are:
>
> 204.74.108.1/32
> 204.74.109.1/32
> 199.7.68.1/32
> 199.7.69.1/32
> 204.74.114.1/32
> 204.74.115.1/32
>
> Thanks for any information any of you can provide,
>
> Stefan Fouant: NeuStar, Inc.
> Principal Network Engineer
> 46000 Center Oak Plaza Sterling, VA 20166
> [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
> [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknSLTwACgkQi10dJIBjZIAXOACdEmm6Vn5J8+b8i+kqNWGD+wJY
Xm8An1bsmNL2UsN+MKdox2e+/VuZ+SEw
=20pq
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list