[nsp-sec] packet love against 174.129.208.119

Dave Burke dave at amazon.com
Wed May 20 15:02:50 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

At 2009-05-20 16:21 UTC this evening, we got hit was a large udp/53 flood
against the dns server hosting 23u.com - 174.129.28.119. It lasted until 16:37 UTC.

Sample packet signature ...

0000  00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00   ........ ......E.
0010  00 39 92 1f 40 00 f4 11  43 2a ca 60 68 10 ae 81   .9.. at ... C*.`h...
0020  d0 77 df c0 00 35 00 25  d2 91 75 4b 00 00 00 01   .w...5.% ..uK....
0030  00 00 00 00 00 00 03 77  77 77 03 32 33 75 03 63   .......w ww.23u.c
0040  6f 6d 00 00 01 00 01                               om.....


The peak packet rate we saw was 2,799,319/pps @ 1.725Gb/s.

The top origin srcIPs are as follows...

4134    | 202.100.128.68   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.100.4.15     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.101.103.55   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.101.112.55   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.101.113.55   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.101.115.55   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.101.224.69   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.102.10.141   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.102.192.68   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.102.24.35    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.102.7.90     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.103.0.117    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.103.0.68     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.103.100.100  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.103.83.3     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.96.103.36    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.96.104.15    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.96.104.25    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.96.154.15    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.98.192.68    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 202.98.224.68    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.76.192.101   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 218.76.192.101   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.128.99.134    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.130.254.35    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.134.1.9       | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.137.94.196    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.166.150.101   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.166.150.123   | CHINANET-BACKBONE No.31,Jin-rong Street
4609    | 202.175.3.8      | CTM-MO Companhia de Telecomunicacoes de Macau SARL
4808    | 202.106.196.115  | CHINA169-BJ CNCGROUP IP network China169 Beijing
Province Network
4812    | 202.96.209.6     | CHINANET-SH-AP China Telecom (Group)
4837    | 202.102.154.3    | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 202.96.69.38     | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 202.97.224.68    | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 202.99.96.68     | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 202.99.96.68     | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 221.6.4.66       | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 221.7.136.68     | CHINA169-BACKBONE CNCGROUP China169 Backbone
4847    | 219.72.225.254   | CNIX-AP China Networks Inter-Exchange
7497    | 211.162.62.1     | CSTNET-AS-AP Computer Network Information Center
9394    | 211.98.2.4       | CRNET CHINA RAILWAY Internet(CRNET)
9394    | 211.98.72.8      | CRNET CHINA RAILWAY Internet(CRNET)
9394    | 61.235.70.98     | CRNET CHINA RAILWAY Internet(CRNET)
17816   | 221.5.88.88      | CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN
17964   | 211.147.6.4      | DXTNET Beijing Dian-Xin-Tong Network Technologies
Co., Ltd.
17968   | 219.235.127.1    | DQTNET Daqing zhongji petroleum telecommunication
construction limited cpmpany
17968   | 219.235.127.1    | DQTNET Daqing zhongji petroleum telecommunication
construction limited cpmpany
23851   | 211.158.2.69     | CNNIC-CQCNC-AP CHONGQING CNC BROADBAND NETWORKS
CO.,LTD
38356   | 202.106.148.1    | TIMENET BeiJing Sincerity-times Network Technology
Project Ltd.

Each of those was doing betweeen 1625/pps & 4967/pps of udp/53 traffic.

Any help in tracking down the origin and stomping it out would be appreciated.

thanks,
dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoUU9oACgkQvMJ1IGjTxcFszQCdGq+9d6GpIVO5O41JgWFGtejx
NegAn2DQ8Hp6hAfGJCOAQM359lvBIzHB
=fBb0
-----END PGP SIGNATURE-----



Amazon Data Services Ireland Limited registered office: Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration number 390566.

More information about the nsp-security mailing list