[nsp-sec] ack'd 2914 Re: DNS Flood to Ultra [NTT-M6906312S] UltraDNS DoS

Smith, Donald Donald.Smith at qwest.com
Tue Mar 31 17:50:04 EDT 2009 

What I am seeing doesn't appear to be spoofed. The attacking ips are coming in the same interface consistently even with non-attack data:)
Source ports are reasonably random, I don't see a pattern there.
Packets seem to be ~60-75 bytes.

The is one special port 51413.
High port static per attacking ip appears to be talking to that port on several ips.
Not sure this is the c&c but it could be. Looks like a p2p style comms it could just be p2p not the control channel.

 



Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com gcia 


> 
> On Tue, Mar 31, 2009 at 10:24:20AM -0400, Fouant, Stefan wrote:
> > ----------- nsp-security Confidential --------
> > 
> > Folks,
> > 
> > Our Ultra sites have been coming under a UDP DNS flood for 
> several hours
> > sustaining several hundred Mbps from what appears to be a 
> large botnet,
> > generating queries for silverdollar.com and gocasino.com.  
> Looks like a
> > dictionary attack.  We're currently filtering it right and able to
> > sustain business operations as usual, but the attack continues.
> > Wondering if any of you can take a look at any of the 
> botnets and find
> > out who might be behind this.
> > 
> > The ranges under attack are:
> > 
> > 204.74.108.1/32
> > 204.74.109.1/32
> > 199.7.68.1/32
> > 199.7.69.1/32
> > 204.74.114.1/32
> > 204.74.115.1/32
> > 
> > Thanks for any information any of you can provide,
> > 
> > Stefan Fouant: NeuStar, Inc.
> > Principal Network Engineer 
> > 46000 Center Oak Plaza Sterling, VA 20166
> > [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
> > [ E ] stefan.fouant at neustar.biz [ W ] www.neustar.biz
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> 
> -- 
> 
> Tino T. Steward SNA1 - Security & Abuse	                
>                      tsteward at us.ntt.net
> NTT Communications Global IP Network Operations Center        
>                
> 214-853-7344 (Ph.)                                            
>                214.800.7771 (Fax) 
> 
> AUP online: 
> http://www.nttamerica.com/legal/internet/acceptable_policy.html 
> AUP online: http://www.ntt.net/library/pdf/AUP.pdf 
> 
> Check http://www.cert.org for some of the latest documented 
> exploits and your OS manufacturer for the latest security patches.
> 
> Intruder detection: 
> http://www.cert.org/tech_tips/intruder_detection_checklist.html
> 
> Latest viruses: http://www.cert.org
> 
> Recovering from a compromised host: 
> http://www.cert.org/tech_tips/win-UNIX-system_compromise.html 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list