[nsp-sec] ACK 174 RE: DNS Flood to Ultra
Shelton, Steve
sshelton at Cogentco.com
Tue Mar 31 13:08:47 EDT 2009
Thanks and ACK for 174, working on our two.
174 | 38.117.200.131 | COGENT Cogent/PSI
174 | 38.223.231.249 | COGENT Cogent/PSI
Best regards,
Steve Shelton
Security Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Nicholas
Ianelli
Sent: Tuesday, March 31, 2009 8:48 AM
To: Fouant, Stefan
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DNS Flood to Ultra
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A subset of the attacking IPs can be located at the following URL:
https://asn.cymru.com/nsp-sec/upload/1238509380.whois.txt
~3k IPs from 4 to 6am ET on 2009.03.31
ASNs with the largest amount of contributors:
19 6306
21 16338
22 13999
22 9121
24 7132
25 6057
26 6739
27 12715
29 3215
29 8167
30 6389
32 6147
34 3269
34 9737
35 7738
36 7418
38 12357
40 19262
41 6400
49 21826
49 6332
86 22927
142 7303
213 8048
374 3352
450 8151
Nick
Fouant, Stefan wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> Our Ultra sites have been coming under a UDP DNS flood for several
> hours sustaining several hundred Mbps from what appears to be a large
> botnet, generating queries for silverdollar.com and gocasino.com.
> Looks like a dictionary attack. We're currently filtering it right
> and able to sustain business operations as usual, but the attack
continues.
> Wondering if any of you can take a look at any of the botnets and find
> out who might be behind this.
>
> The ranges under attack are:
>
> 204.74.108.1/32
> 204.74.109.1/32
> 199.7.68.1/32
> 199.7.69.1/32
> 204.74.114.1/32
> 204.74.115.1/32
>
> Thanks for any information any of you can provide,
>
> Stefan Fouant: NeuStar, Inc.
> Principal Network Engineer
> 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ]
> +1 202 210 2075 [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknSLTwACgkQi10dJIBjZIAXOACdEmm6Vn5J8+b8i+kqNWGD+wJY
Xm8An1bsmNL2UsN+MKdox2e+/VuZ+SEw
=20pq
-----END PGP SIGNATURE-----
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list