[nsp-sec] Little help - DDoS attack - Port 53/UDP
Nicholas Ianelli
ni at allyourinfoarebelongto.us
Sun Jul 17 14:51:07 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
Not sure how many of you know Kurt or Dan over at No-IP (good people),
but they reached out to me last week as they've been under a pretty
large DDoS attack. It's starting again and I wanted to see if we could
help them.
All the past attacks the traffic was spoofed, I'm assuming the same
thing in this case.
Actors are hammering their name servers looking for randomly generated
NX sub-domains. In this particular case:
mypsx.net
nhlfan.net
Small sample of attack traffic:
11:36:10.560874 IP 61.150.95.100.4107 > 8.23.224.165.domain: 5348+ A?
KUY6AaKE.nhlfan.net. (37)
11:36:10.560875 IP 202.110.73.238.camp > 8.23.224.165.domain: 3292+ A?
mcdYn76d7Q.nhlfan.net. (39)
11:36:10.560881 IP 183.62.43.170.nati-logos > 8.23.224.165.domain:
2404+ A? Erd43gU.mypsx.net. (35)
11:36:10.560893 IP 125.75.53.67.4075 > 8.23.224.165.domain: 16152+ A?
6asCaW40u.mypsx.net. (37)
11:36:10.560893 IP 58.18.224.107.pit-vpn > 8.23.224.165.domain: 3944+
A? usKpL23u9e.nhlfan.net. (39)
11:36:10.560906 IP 60.216.20.114.4272 > 8.23.224.165.domain: 3332+ A?
4Kuu60ky.mypsx.net. (36)
11:36:10.560906 IP 222.162.139.54.quicksuite > 8.23.224.165.domain:
8008+ A? yMW2KEO8m.mypsx.net. (37)
11:36:10.560918 IP 220.248.185.65.21934 > 8.23.224.165.domain: 1592+ A?
m6SGma6E46.mypsx.net. (38)
11:36:10.560919 IP 222.222.61.10.netobjects2 > 8.23.224.165.domain:
17912+ A? KU22k0WWa.nhlfan.net. (38)
11:36:10.560932 IP 123.164.51.127.32978 > 8.23.224.165.domain: 1432+ A?
ssys64W.nhlfan.net. (36)
The following Name Servers (destinations) are being hit:
nf1.no-ip.com. 78754 IN A 8.23.224.165
nf2.no-ip.com. 78754 IN A 69.72.255.8
nf3.no-ip.com. 24264 IN A 69.65.40.108
nf4.no-ip.com. 1983 IN A 69.65.5.122
nf5.no-ip.com. 60 IN A 83.222.240.75
It would be great if we could isolate the attack traffic and drop it. In
addition, any way to track this back to a botnet would be really
beneficial. Like I said, this has been happening, the malicious actors
are just switching which domain to target.
Thanks!
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4jLxgACgkQi10dJIBjZIA/kACgwLqgPghLuEZ1L1cOS8/fsvtS
ur0AnROgvdO+P+o7YDCgOGWsrohU0kGy
=Y60p
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list