[nsp-sec] packet love to DNS server

Justin M. Streiner streiner at cluebyfour.org
Fri Apr 22 16:34:23 EDT 2011 

We've been seeing excessive amounts of packet love to udp/53 on our of our 
DNS servers (136.142.57.10) on and off for the past few days (starting on 
19 April).  It hasn't been a major issue, but the CPU on that server, or 
on the firewall in front of it, have occasionally gotten somewhat 
unhappy...

We've been blocking the offending hosts at the borders as we see them, so 
the situation isn't critical, but if anyone could assist locating and 
re-educating the offending hosts, I'd certainly appreciate it.  If there's 
any indication that the offending hosts are pwnd, I'd be interested in 
hearing about any forensic info, if found.

jms
Network Engineer - University of Pittsburgh (AS4130)

So far, the worst offenders are:
8972    | 188.138.100.97   | ripencc  | PLUSSERVER-AS PlusServer AG, 
Germany
9121    | 212.156.58.68    | ripencc  | TTNET Turk Telekomunikasyon Anonim 
Sirketi
11013   | 68.68.30.215     | arin     | BLUE-AS - Bluemile, Inc
12083   | 216.186.224.214  | arin     | KNOLOGY-NET - Knology Holdings
16276   | 188.165.197.128  | ripencc  | OVH OVH
21788   | 184.82.167.170   | arin     | NOC - Network Operations Center 
Inc.
21844   | 74.52.10.148     | arin     | THEPLANET-AS - ThePlanet.com 
Internet Services, Inc.
25761   | 72.20.10.20      | arin     | 74.52.10.148    | STAMINUS-COMM - 
Staminus Communications
28753   | 95.168.183.115   | ripencc  | LEASEWEB-DE Leaseweb Germany GmbH 
(previously netdirekt e. K.)
28753   | 178.162.174.16   | ripencc  | LEASEWEB-DE Leaseweb Germany GmbH 
(previously netdirekt e. K.)
30058   | 208.53.174.115   | arin     | FDCSERVERS - FDCservers.net
30058   | 208.53.174.116   | arin     | FDCSERVERS - FDCservers.net
30058   | 208.53.174.118   | arin     | FDCSERVERS - FDCservers.net
35908   | 98.126.210.140   | arin     | VPLSNET - VPLS Inc. d/b/a Krypt 
Technologies
35908   | 98.126.213.58    | arin     | VPLSNET - VPLS Inc. d/b/a Krypt 
Technologies
35908   | 98.126.213.59    | arin     | VPLSNET - VPLS Inc. d/b/a Krypt 
Technologies
36351   | 50.23.212.96     | arin     | SOFTLAYER - SoftLayer Technologies 
Inc.
36351   | 75.126.132.173   | arin     | SOFTLAYER - SoftLayer Technologies 
Inc.
36351   | 174.127.65.163   | arin     | SOFTLAYER - SoftLayer Technologies 
Inc.
36351   | 174.127.73.46    | arin     | SOFTLAYER - SoftLayer Technologies 
Inc.

More information about the nsp-security mailing list