[nsp-sec] DDoS Attack in progress
Mike Tancsa
mike at sentex.net
Fri Dec 23 15:55:58 EST 2011
I am seeing a steady stream, but I am also seeing responses ? Let me
see if I can get any access to these customer boxes and see what they
are doing.
15:53:25.477315 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto:
UDP (17), length: 533) 64.7.141.17.53 > 178.251.233.35.53: [udp sum ok]
952 q: ANY? ripe.net. 3/13/1 ripe.net. Type46, ripe.net. Type43,
ripe.net. Type43 ns: net. NS d.gtld-servers.net., net. NS
e.gtld-servers.net., net. NS f.gtld-servers.net., net. NS
g.gtld-servers.net., net. NS h.gtld-servers.net., net. NS
i.gtld-servers.net., net. NS j.gtld-servers.net., net. NS
k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
b.gtld-servers.net., net. NS c.gtld-servers.net. ar: . OPT UDPsize=4096
(505)
0x0000: 4500 0215 0000 4000 3f11 d0a0 4007 8d11 E..... at .?... at ...
0x0010: b2fb e923 0035 0035 0201 4257 03b8 8180 ...#.5.5..BW....
0x0020: 0001 0003 000d 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 c00c 002e 0001 0000 4592 t.............E.
0x0040: 0097 002b 0802 0001 5180 4ef9 5486 4ef0 ...+....Q.N.T.N.
0x0050: 099e a055 036e 6574 0032 a8f5 e3e6 b400 ...U.net.2......
0x0060: a2d3 6de8 10cd 342c 60dd ce14 3dcb 77e2 ..m...4,`...=.w.
0x0070: fde6 e817 4f7a a0f2 16ab adcd de73 2dff ....Oz.......s-.
0x0080: b864 e7ee 6ea3 6c82 63ae d5c4 ffd4 9869 .d..n.l.c......i
0x0090: 71a8 026f cffd cfb3 6043 3c78 623c 86aa q..o....`C<xb<..
0x00a0: 9ceb 9fb6 915f 39f2 8e20 37cc 3759 60be ....._9...7.7Y`.
0x00b0: 7e38 96ec 2873 7190 8568 6711 418a 7ec4 ~8..(sq..hg.A.~.
0x00c0: ae96 78b3 f6cc c264 4745 d5e4 3ea5 345b ..x....dGE..>.4[
0x00d0: 27ff 7a01 be5c 344a ccc0 0c00 2b00 0100 '.z..\4J....+...
0x00e0: 0045 9200 18b8 9405 0102 739f 2dd3 9560 .E........s.-..`
0x00f0: 789d 7358 1aa6 0f0c db60 73a8 49c0 0c00 x.sX.....`s.I...
0x0100: 2b00 0100 0045 9200 24b8 9405 0252 4dbb +....E..$....RM.
0x0110: 3b5c d028 da80 9f1a 1b3b afc0 6b62 a170 ;\.(.....;..kb.p
0x0120: 644f 729c 4cbd 7e6c ab17 85ab d2c0 3800 dOr.L.~l......8.
0x0130: 0200 0100 0045 9100 1101 640c 6774 6c64 .....E....d.gtld
0x0140: 2d73 6572 7665 7273 c038 c038 0002 0001 -servers.8.8....
0x0150: 0000 4591 0004 0165 c11f c038 0002 0001 ..E....e...8....
0x0160: 0000 4591 0004 0166 c11f c038 0002 0001 ..E....f...8....
0x0170: 0000 4591 0004 0167 c11f c038 0002 0001 ..E....g...8....
0x0180: 0000 4591 0004 0168 c11f c038 0002 0001 ..E....h...8....
0x0190: 0000 4591 0004 0169 c11f c038 0002 0001 ..E....i...8....
0x01a0: 0000 4591 0004 016a c11f c038 0002 0001 ..E....j...8....
0x01b0: 0000 4591 0004 016b c11f c038 0002 0001 ..E....k...8....
0x01c0: 0000 4591 0004 016c c11f c038 0002 0001 ..E....l...8....
0x01d0: 0000 4591 0004 016d c11f c038 0002 0001 ..E....m...8....
0x01e0: 0000 4591 0004 0161 c11f c038 0002 0001 ..E....a...8....
0x01f0: 0000 4591 0004 0162 c11f c038 0002 0001 ..E....b...8....
0x0200: 0000 4591 0004 0163 c11f 0000 2910 0000 ..E....c....)...
0x0210: 0080 0000 00 .....
15:53:25.477550 IP (tos 0x0, ttl 63, id 58338, offset 0, flags [DF],
proto: UDP (17), length: 468) 64.7.141.29.53 > 178.251.233.35.53: [udp
sum ok] 952 q: ANY? ripe.net. 2/13/9 ripe.net. Type47, ripe.net. A
193.0.6.139 ns: net. NS j.gtld-servers.net., net. NS
k.gtld-servers.net., net. NS l.gtld-servers.net., net. NS
m.gtld-servers.net., net. NS a.gtld-servers.net., net. NS
b.gtld-servers.net., net. NS c.gtld-servers.net., net. NS
d.gtld-servers.net., net. NS e.gtld-servers.net., net. NS
f.gtld-servers.net., net. NS g.gtld-servers.net., net. NS
h.gtld-servers.net., net. NS i.gtld-servers.net. ar: c.gtld-servers.net.
A 192.26.92.30, d.gtld-servers.net. A 192.31.80.30, e.gtld-servers.net.
A 192.12.94.30, f.gtld-servers.net. A 192.35.51.30, i.gtld-servers.net.
A 192.43.172.30, j.gtld-servers.net. A 192.48.79.30, k.gtld-servers.net.
A 192.52.178.30, m.gtld-servers.net. A 192.55.83.30, . OPT UDPsize=4096
(440)
0x0000: 4500 01d4 e3e2 4000 3f11 ecf2 4007 8d1d E..... at .?... at ...
0x0010: b2fb e923 0035 0035 01c0 768a 03b8 8180 ...#.5.5..v.....
0x0020: 0001 0002 000d 0009 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 c00c 002f 0001 0000 1b64 t......../.....d
0x0040: 001a 0632 3536 636e 7304 7269 7065 036e ...256cns.ripe.n
0x0050: 6574 0000 0762 0100 0800 0380 c00c 0001 et...b..........
0x0060: 0001 0000 4594 0004 c100 068b c011 0002 ....E...........
0x0070: 0001 0001 178c 0011 016a 0c67 746c 642d .........j.gtld-
0x0080: 7365 7276 6572 73c0 11c0 1100 0200 0100 servers.........
0x0090: 0117 8c00 0401 6bc0 5ec0 1100 0200 0100 ......k.^.......
0x00a0: 0117 8c00 0401 6cc0 5ec0 1100 0200 0100 ......l.^.......
0x00b0: 0117 8c00 0401 6dc0 5ec0 1100 0200 0100 ......m.^.......
0x00c0: 0117 8c00 0401 61c0 5ec0 1100 0200 0100 ......a.^.......
0x00d0: 0117 8c00 0401 62c0 5ec0 1100 0200 0100 ......b.^.......
0x00e0: 0117 8c00 0401 63c0 5ec0 1100 0200 0100 ......c.^.......
0x00f0: 0117 8c00 0401 64c0 5ec0 1100 0200 0100 ......d.^.......
0x0100: 0117 8c00 0401 65c0 5ec0 1100 0200 0100 ......e.^.......
0x0110: 0117 8c00 0401 66c0 5ec0 1100 0200 0100 ......f.^.......
0x0120: 0117 8c00 0401 67c0 5ec0 1100 0200 0100 ......g.^.......
0x0130: 0117 8c00 0401 68c0 5ec0 1100 0200 0100 ......h.^.......
0x0140: 0117 8c00 0401 69c0 5ec0 c900 0100 0100 ......i.^.......
0x0150: 0117 8b00 04c0 1a5c 1ec0 d900 0100 0100 .......\........
0x0160: 008d d500 04c0 1f50 1ec0 e900 0100 0100 .......P........
0x0170: 007b ee00 04c0 0c5e 1ec0 f900 0100 0100 .{.....^........
0x0180: 00f5 ea00 04c0 2333 1ec1 2900 0100 0100 ......#3..).....
0x0190: 007b ee00 04c0 2bac 1ec0 5c00 0100 0100 .{....+...\.....
0x01a0: 012f 7c00 04c0 304f 1ec0 7900 0100 0100 ./|...0O..y.....
0x01b0: 007b ee00 04c0 34b2 1ec0 9900 0100 0100 .{....4.........
0x01c0: 0132 1100 04c0 3753 1e00 0029 1000 0000 .2....7S...)....
0x01d0: 0000 0000 ....
15:53:25.683529 IP (tos 0x0, ttl 116, id 22787, offset 0, flags [none],
proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.29.53: [no
cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
0x0000: 4500 0042 5903 0000 7411 8464 b2fb e923 E..BY...t..d...#
0x0010: 4007 8d1d 0035 0035 002e 0000 03b8 0100 @....5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..
15:53:25.683654 IP (tos 0x0, ttl 116, id 22798, offset 0, flags [none],
proto: UDP (17), length: 66) 178.251.233.35.53 > 64.7.141.17.53: [no
cksum] 952+ [1au] ANY? ripe.net. ar: . OPT UDPsize=4096 (38)
0x0000: 4500 0042 590e 0000 7411 8465 b2fb e923 E..BY...t..e...#
0x0010: 4007 8d11 0035 0035 002e 0000 03b8 0100 @....5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..
On 12/23/2011 3:25 PM, Daniel Goscomb wrote:
> ----------- nsp-security Confidential --------
>
> Hi All
>
> We have an attack in progress against one of our downstream customers which they have asked us to filter. We're currently filtering 2.2Gbps of UDP destined to 178.251.233.35 (ports 0 and 53). The source and destination ports are always the same (i.e. 0 and 0 or 53 and 53).
>
> There is no DNS server on this box; its not legitimate traffic. Sources appear to be spoofed (3-5 hosts in a row from each /24 that seems to be in use).
>
> If you could please check for any flows towards 178.251.233.35 it would be appreciated.
>
> Cheers
>
> Dan
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list