[nsp-sec] More UDP 'attention'

Tue Apr 26 14:31:29 EDT 2011

Those are anycast prefixes for authoritative DNS so you'll see them
globally.  Apologies if that was confusing.  The presumption of spoofed
was due to the sheer number of sources and the fact that they were all
hitting one geographic region where normally we would expect to see them
globally distributed (eg. European sources hitting west coast of US as
opposed to Europe nodes).  The attack itself has died off but we were able
to determine that the vast majority of the traffic was coming in via China
Netcom.  

Of note, within Qwest's network there are some peculiarities that I'd be
happy to discuss off list if you'd like.  Thanks a ton for taking a look!

-Link

-----Original Message-----
From: "Smith, Donald" <Donald.Smith at qwest.com>
Date: Tue, 26 Apr 2011 13:52:56 -0400
To: Link King <link.king at neustar.com>, "'nsp-security at puck.nether.net'"
<nsp-security at puck.nether.net>
Cc: "Roper, Sara" <Sara.Roper at qwest.com>
Subject: RE: More UDP 'attention'

>Sara ran a netflow report based on the victim ips.
>I spot checked just 204.74.101.1.
>The sif (source interface) for packets FROM 204.74.101.1 was all over the
>place -> (spoofed or multipath).
>
>Then I looked at a single attacker as the source and see that ALL of the
>sif's for it are the same (not spoofed) and that the destination
>interface towards 204.74.101.1 is constant (351). So we don't have
>multiple return paths for 204.74.101.1.
>
>So it looks like someone is spoofing their IPs and doing a dns reflective
>attack.
>That is what this pattern looks like to me anyways.
>
>You stated "that the src's are spoofed" what did you base that on?
>You also mentioned that the packets were malformed again can you provide
>additional details about that?
>
>
>
>
>
>Sharing: Author's permission required.
>Donald.Smith at qwest.com
>
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of King, Link
>> Sent: Tuesday, April 26, 2011 5:00 AM
>> To: nsp-security at puck.nether.net
>> Subject: [nsp-sec] More UDP 'attention'
>>
>> ----------- nsp-security Confidential --------
>>
>> We're receiving another UDP/53 attack with a new target this time:
>>
>> Target:               204.69.234.1 & 204.74.101.1
>> DST Proto/Port:       UDP/53
>> Length:               55 bytes
>> Source ports: Various
>> Source IP's:  Spoofed/tons
>>
>> We're seeing around 1.5 Mpps hitting our two west coast data centers
>> almost exclusively and the sources are obviously spoofed
>> (unfortunately).
>> The packet itself is malformed but interestingly includes a domain:
>> boxun.com.  Presumably the target.
>>
>> I realize without sources it's difficult but if any backbone folks
>> could
>> take a look at flows to the above two destinations and notice anything
>> that would help track back source networks and such that might be
>> helpful.
>>  Thanks!
>>
>> --
>> Link King
>> link.king at neustar.com
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>> security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>This communication is the property of Qwest and may contain confidential
>or
>privileged information. Unauthorized use of this communication is strictly
>prohibited and may be unlawful.  If you have received this communication
>in error, please immediately notify the sender by reply e-mail and destroy
>all copies of the communication and any attachments.