[nsp-sec] DNS Flood to Ultra

Nicholas Ianelli ni at centergate.net
Tue Mar 31 12:04:30 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can someone from the below ASN's ping me offlist:

3356    | 89.149.233.194   | LEVEL3 Level 3 Communications
3549    | 89.149.233.194   | GBLX Global Crossing Ltd.
6695    | 89.149.233.194   | DECIX-AS DE-CIX, the German Internet Exchange
10310   | 89.149.233.194   | YAHOO-1 - Yahoo!


Thanks!
Nick


Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> A subset of the attacking IPs can be located at the following URL:
> 
> https://asn.cymru.com/nsp-sec/upload/1238509380.whois.txt
> 
> ~3k IPs from 4 to 6am ET on 2009.03.31
> 
> ASNs with the largest amount of contributors:
> 
>   19 6306
>   21 16338
>   22 13999
>   22 9121
>   24 7132
>   25 6057
>   26 6739
>   27 12715
>   29 3215
>   29 8167
>   30 6389
>   32 6147
>   34 3269
>   34 9737
>   35 7738
>   36 7418
>   38 12357
>   40 19262
>   41 6400
>   49 21826
>   49 6332
>   86 22927
>  142 7303
>  213 8048
>  374 3352
>  450 8151
> 
> Nick
> 
> Fouant, Stefan wrote:
>> ----------- nsp-security Confidential --------
> 
>> Folks,
> 
>> Our Ultra sites have been coming under a UDP DNS flood for several hours
>> sustaining several hundred Mbps from what appears to be a large botnet,
>> generating queries for silverdollar.com and gocasino.com.  Looks like a
>> dictionary attack.  We're currently filtering it right and able to
>> sustain business operations as usual, but the attack continues.
>> Wondering if any of you can take a look at any of the botnets and find
>> out who might be behind this.
> 
>> The ranges under attack are:
> 
>> 204.74.108.1/32
>> 204.74.109.1/32
>> 199.7.68.1/32
>> 199.7.69.1/32
>> 204.74.114.1/32
>> 204.74.115.1/32
> 
>> Thanks for any information any of you can provide,
> 
>> Stefan Fouant: NeuStar, Inc.
>> Principal Network Engineer 
>> 46000 Center Oak Plaza Sterling, VA 20166
>> [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
>> [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> 
> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknSPw4ACgkQi10dJIBjZICFHwCeOYZCjEqI1PgXBMjbaU8HMsWM
Q3YAmgLa+AsF5ho7FCbQo2nlsaTmW9qN
=S6qA
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list