[nsp-sec] DNS Flood to Ultra
Tino Steward
tsteward at us.ntt.net
Tue Mar 31 11:24:15 EDT 2009
thx Nicholas.
tino
On Tue, Mar 31, 2009 at 10:48:28AM -0400, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A subset of the attacking IPs can be located at the following URL:
>
> https://asn.cymru.com/nsp-sec/upload/1238509380.whois.txt
>
> ~3k IPs from 4 to 6am ET on 2009.03.31
>
> ASNs with the largest amount of contributors:
>
> 19 6306
> 21 16338
> 22 13999
> 22 9121
> 24 7132
> 25 6057
> 26 6739
> 27 12715
> 29 3215
> 29 8167
> 30 6389
> 32 6147
> 34 3269
> 34 9737
> 35 7738
> 36 7418
> 38 12357
> 40 19262
> 41 6400
> 49 21826
> 49 6332
> 86 22927
> 142 7303
> 213 8048
> 374 3352
> 450 8151
>
> Nick
>
> Fouant, Stefan wrote:
> > ----------- nsp-security Confidential --------
> >
> > Folks,
> >
> > Our Ultra sites have been coming under a UDP DNS flood for several hours
> > sustaining several hundred Mbps from what appears to be a large botnet,
> > generating queries for silverdollar.com and gocasino.com. Looks like a
> > dictionary attack. We're currently filtering it right and able to
> > sustain business operations as usual, but the attack continues.
> > Wondering if any of you can take a look at any of the botnets and find
> > out who might be behind this.
> >
> > The ranges under attack are:
> >
> > 204.74.108.1/32
> > 204.74.109.1/32
> > 199.7.68.1/32
> > 199.7.69.1/32
> > 204.74.114.1/32
> > 204.74.115.1/32
> >
> > Thanks for any information any of you can provide,
> >
> > Stefan Fouant: NeuStar, Inc.
> > Principal Network Engineer
> > 46000 Center Oak Plaza Sterling, VA 20166
> > [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
> > [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security counter-measures.
> > _______________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAknSLTwACgkQi10dJIBjZIAXOACdEmm6Vn5J8+b8i+kqNWGD+wJY
> Xm8An1bsmNL2UsN+MKdox2e+/VuZ+SEw
> =20pq
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Tino T. Steward SNA1 - Security & Abuse tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center
214-853-7344 (Ph.) 214.800.7771 (Fax)
AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html
AUP online: http://www.ntt.net/library/pdf/AUP.pdf
Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.
Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Latest viruses: http://www.cert.org
Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
More information about the nsp-security
mailing list