[nsp-sec] DNS based DDoS Attack - Chinanet, if you're around could use some assistance

[Nicholas Ianelli]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are a bit odd. These IPs are all querying from the same source
port and hitting our recursive servers for the domains in question:

123.185.174.233
221.205.229.75
123.233.205.89
58.35.115.203
222.130.114.112
60.177.154.191
124.226.172.230
112.117.11.219
123.165.34.157

These could be legit, but any insight would be helpful. They appear to
be end user systems.

Nick

On 1/25/2011 8:36 AM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> Folks,
> 
> We are currently experiencing a manageable DDoS attack at roughly 1
> million pps. These are legitimate looking DNS queries (port 53/UDP) for
> the following domain:
> 
> zhantai.com
> 
> The queries are hitting the following two IP addresses:
> 
> 204.69.234.1
> 204.74.101.1
> 
> ** NOTE: the above are legitimate DNS servers please do NOT block
> queries to it. **
> 
> If folks have intel on a C2 instructing bots to DDoS zhantai.com or see
> an abnormally large amount of traffic destined to 204.74.101.1 and
> 204.69.234.1 I would love to have a chat with you.
> 
> We'll be going through the pcaps shortly and I'll provide more details
> as I have them.
> 
> Thanks!
> Nick
> 

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________


- -- 
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAk0+898ACgkQi10dJIBjZIAHZwCgq/vzD/QjnGrqldD+CtWnzYl6
wHEAoKADTHoKJeLPY1SwXh+BtOeG60VZ
=wcq3
-----END PGP SIGNATURE-----