[nsp-sec] ACK: DNS Flood to Ultra

Rodolfo Baader rbaader at arcert.gov.ar
Tue Mar 31 17:14:40 EDT 2009 

Hi!

ACK for AR ASNs: 7303, 7908, 10318, 10481, 10834, 11008, 11315, 11664, 13585,
16814, 17069, 17401, 19037, 19889, 20207, 22080, 22927, 27747, 27751, 27754,
27792, 27827, 27833, 27879, 27934, 27953, 27960, 27984

Notifications were sent to the abuse/noc departments.

Details:
#TOTAL ASN Argentina: 28
#TOTAL IPS Argentina: 294 total

  142  7303
   86  22927
   10  10834
   10  10318
    7  11664
    6  20207
    6  16814
    4  19889
    2  27934
    2  27792
    2  13585
    1  7908
    1  27984
    1  27960
    1  27953
    1  27879
    1  27833
    1  27827
    1  27754
    1  27751
    1  27747
    1  22080
    1  19037
    1  17401
    1  17069
    1  11315
    1  11008
    1  10481


R.
-- 
-----------------------------------------------
ArCERT - http://www.arcert.gov.ar
Te: (54-11) 4343-9001 int.512/514  |  4345-0383
Fax:(54-11) 4343-7458

Av.R. Saenz Peña 511 - Of:514
C1035AAA - Ciudad Autonoma de Buenos Aires
Argentina
-----------------------------------------------

Fouant, Stefan wrote:
> ----------- nsp-security Confidential --------
> 
> Folks,
> 
> Our Ultra sites have been coming under a UDP DNS flood for several hours
> sustaining several hundred Mbps from what appears to be a large botnet,
> generating queries for silverdollar.com and gocasino.com.  Looks like a
> dictionary attack.  We're currently filtering it right and able to
> sustain business operations as usual, but the attack continues.
> Wondering if any of you can take a look at any of the botnets and find
> out who might be behind this.
> 
> The ranges under attack are:
> 
> 204.74.108.1/32
> 204.74.109.1/32
> 199.7.68.1/32
> 199.7.69.1/32
> 204.74.114.1/32
> 204.74.115.1/32
> 
> Thanks for any information any of you can provide,
> 
> Stefan Fouant: NeuStar, Inc.
> Principal Network Engineer 
> 46000 Center Oak Plaza Sterling, VA 20166
> [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
> [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list