[nsp-sec] DNS Reflection DDoS

King, Link Link.King at neustar.com
Wed Mar 2 15:40:01 EST 2011 

>Hi Team,
>
>We're trying to figure out what tool us being used with this ISC.ORG/ANY
>reflection. It has been happening for a while. We'll pull information to
>help people mitigate looking at making ISC.ORG/ANY less attractive.
>
>So any intel on the launch machines would be helpful.

I can provide data on this hitting our recursives.  Example of something
that is going on right now:

20:23:14.640169 IP (tos 0x0, ttl 240, id 34051, offset 0, flags [none],
proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
[no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
20:23:14.640209 IP (tos 0x0, ttl 240, id 19201, offset 0, flags [none],
proto: UDP (17), length: 64) 210.1.60.93.25345 > 156.154.71.22.domain: [no
cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
20:23:14.642170 IP (tos 0x0, ttl 240, id 62731, offset 0, flags [none],
proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
[no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
20:23:14.646020 IP (tos 0x0, ttl 240, id 62482, offset 0, flags [none],
proto: UDP (17), length: 64) 210.1.60.93.25345 > 156.154.71.22.domain: [no
cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
20:23:14.652780 IP (tos 0x0, ttl 240, id 36118, offset 0, flags [none],
proto: UDP (17), length: 64) 78.159.11.189.25345 > 156.154.71.22.domain:
[no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)


That traffic is coming in via Level 3 if anyone wants to take a stab at
working something backwards.  Assuming these sources are targets here are
some recent/current victims:

AS      | IP               | CC | AS Name
9891    | 210.1.60.93      | TH | CSLOX-IDC-AS-AP CS LOXINFO Public
Company Limited.
28753   | 95.168.167.214   | DE | NETDIRECT Leaseweb Germany GmbH
(previously netdirekt e. K.)

28753   | 188.72.225.120   | DE | NETDIRECT Leaseweb Germany GmbH
(previously netdirekt e. K.)
36351   | 173.192.199.209  | US | SOFTLAYER - SoftLayer Technologies Inc.




This seems to fluctuate so flows may come and go.  Give me a shout on or
off list if anyone would like more info.

--
Link King
link.king at neustar.com

More information about the nsp-security mailing list