[nsp-sec] 答复: DNS based DDoS Attack - Chinanet, if you're around could use some assistance
王华
wanghua at cndata.com
Tue Jan 25 20:05:38 EST 2011
Dear nick,
Because nsp-security does not allow forwarding the email, you can contact my
colleague liu ziqian. His email is liuzq at chinatelecom.com.cn. I also give
him a message. By the way, there are some ip addresses belonging to another
china ISP china Unicom.
inetnum: 221.204.0.0 - 221.205.255.255
netname: UNICOM-SX
descr: China Unicom Shanxi Province Network
descr: China Unicom
country: CN
inetnum: 123.232.0.0 - 123.235.255.255
netname: UNICOM-SD
descr: China Unicom Shandong Province Network
descr: China Unicom
country: CN
inetnum: 222.128.0.0 - 222.131.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
-----邮件原件-----
发件人: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] 代表 Nicholas Ianelli
发送时间: 2011年1月26日 0:02
收件人: nsp-security at puck.nether.net
主题: Re: [nsp-sec] DNS based DDoS Attack - Chinanet, if you're around could
use some assistance
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
These are a bit odd. These IPs are all querying from the same source
port and hitting our recursive servers for the domains in question:
123.185.174.233
221.205.229.75
123.233.205.89
58.35.115.203
222.130.114.112
60.177.154.191
124.226.172.230
112.117.11.219
123.165.34.157
These could be legit, but any insight would be helpful. They appear to
be end user systems.
Nick
On 1/25/2011 8:36 AM, Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> We are currently experiencing a manageable DDoS attack at roughly 1
> million pps. These are legitimate looking DNS queries (port 53/UDP) for
> the following domain:
>
> zhantai.com
>
> The queries are hitting the following two IP addresses:
>
> 204.69.234.1
> 204.74.101.1
>
> ** NOTE: the above are legitimate DNS servers please do NOT block
> queries to it. **
>
> If folks have intel on a C2 instructing bots to DDoS zhantai.com or see
> an abnormally large amount of traffic destined to 204.74.101.1 and
> 204.69.234.1 I would love to have a chat with you.
>
> We'll be going through the pcaps shortly and I'll provide more details
> as I have them.
>
> Thanks!
> Nick
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
- --
Nicholas Ianelli: Neustar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAk0+898ACgkQi10dJIBjZIAHZwCgq/vzD/QjnGrqldD+CtWnzYl6
wHEAoKADTHoKJeLPY1SwXh+BtOeG60VZ
=wcq3
-----END PGP SIGNATURE-----
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list