[nsp-sec] More UDP 'attention'

King, Link Link.King at neustar.com
Tue Apr 26 15:54:48 EDT 2011 

One last follow-up/request on this (I hope) ... If there is someone from
Global Crossing that has access to flow data that wouldn't mind running a
query or two I'd appreciate a contact off list.  Thanks.

-Link






On 4/26/11 11:31 AM, "King, Link" <Link.King at neustar.com> wrote:

>----------- nsp-security Confidential --------
>
>Those are anycast prefixes for authoritative DNS so you'll see them
>globally.  Apologies if that was confusing.  The presumption of spoofed
>was due to the sheer number of sources and the fact that they were all
>hitting one geographic region where normally we would expect to see them
>globally distributed (eg. European sources hitting west coast of US as
>opposed to Europe nodes).  The attack itself has died off but we were able
>to determine that the vast majority of the traffic was coming in via China
>Netcom.  
>
>Of note, within Qwest's network there are some peculiarities that I'd be
>happy to discuss off list if you'd like.  Thanks a ton for taking a look!
>
>-Link
>
>
>
>-----Original Message-----
>From: "Smith, Donald" <Donald.Smith at qwest.com>
>Date: Tue, 26 Apr 2011 13:52:56 -0400
>To: Link King <link.king at neustar.com>, "'nsp-security at puck.nether.net'"
><nsp-security at puck.nether.net>
>Cc: "Roper, Sara" <Sara.Roper at qwest.com>
>Subject: RE: More UDP 'attention'
>
>>Sara ran a netflow report based on the victim ips.
>>I spot checked just 204.74.101.1.
>>The sif (source interface) for packets FROM 204.74.101.1 was all over the
>>place -> (spoofed or multipath).
>>
>>Then I looked at a single attacker as the source and see that ALL of the
>>sif's for it are the same (not spoofed) and that the destination
>>interface towards 204.74.101.1 is constant (351). So we don't have
>>multiple return paths for 204.74.101.1.
>>
>>So it looks like someone is spoofing their IPs and doing a dns reflective
>>attack.
>>That is what this pattern looks like to me anyways.
>>
>>You stated "that the src's are spoofed" what did you base that on?
>>You also mentioned that the packets were malformed again can you provide
>>additional details about that?
>>
>>
>>
>>
>>
>>Sharing: Author's permission required.
>>Donald.Smith at qwest.com
>>
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>>> bounces at puck.nether.net] On Behalf Of King, Link
>>> Sent: Tuesday, April 26, 2011 5:00 AM
>>> To: nsp-security at puck.nether.net
>>> Subject: [nsp-sec] More UDP 'attention'
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> We're receiving another UDP/53 attack with a new target this time:
>>>
>>> Target:               204.69.234.1 & 204.74.101.1
>>> DST Proto/Port:       UDP/53
>>> Length:               55 bytes
>>> Source ports: Various
>>> Source IP's:  Spoofed/tons
>>>
>>> We're seeing around 1.5 Mpps hitting our two west coast data centers
>>> almost exclusively and the sources are obviously spoofed
>>> (unfortunately).
>>> The packet itself is malformed but interestingly includes a domain:
>>> boxun.com.  Presumably the target.
>>>
>>> I realize without sources it's difficult but if any backbone folks
>>> could
>>> take a look at flows to the above two destinations and notice anything
>>> that would help track back source networks and such that might be
>>> helpful.
>>>  Thanks!
>>>
>>> --
>>> Link King
>>> link.king at neustar.com
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>>> security
>>> community. Confidentiality is essential for effective Internet security
>>> counter-measures.
>>> _______________________________________________
>>
>>This communication is the property of Qwest and may contain confidential
>>or
>>privileged information. Unauthorized use of this communication is
>>strictly
>>prohibited and may be unlawful.  If you have received this communication
>>in error, please immediately notify the sender by reply e-mail and
>>destroy
>>all copies of the communication and any attachments.
>
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list