[nsp-sec] FW: Backtracking .... Re: DNS Reflection DDoS

Smith, Donald Donald.Smith at qwest.com
Thu Mar 3 12:05:16 EST 2011 

While I fully expect the static src port to change we are blocking that src for now on are primary svrs.

That will stop the pain for now but again I expect it to change.



Sharing: Author's permission required.
Donald.Smith at qwest.com


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Janish, Nathan
> Sent: Thursday, March 03, 2011 8:51 AM
> To: 'NSP-SEC List'
> Subject: [nsp-sec] FW: Backtracking .... Re: DNS Reflection DDoS
>
> ----------- nsp-security Confidential --------
>
> Replied off-list.
>
> Nathan
>
> -----Original Message-----
> From: King, Link [mailto:Link.King at neustar.com]
> Sent: Thursday, March 03, 2011 6:28 AM
> To: Barry Greene; Wentworth, Brett; Janish, Nathan
> Cc: NSP-SEC List
> Subject: Re: [nsp-sec] Backtracking .... Re: DNS Reflection DDoS
>
> >Only one active at the moment:
> >
> >13:20:30.447908 IP (tos 0x0, ttl 240, id 6662, offset 0, flags [none],
> >proto: UDP (17), length: 64) 78.159.108.25.25345 >
> 156.154.71.22.domain:
> >[no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
> >
> >Unfortunately, these seem to change so you might want to IM me (AIM:
> >kinger0003) and I can do some live data gathering.
>
> FWIW, we are also seeing the same stuff coming across Global Crossing
> (different DST on our side):
>
> 13:25:41.849475 IP (tos 0x0, ttl 238, id 62222, offset 0, flags [none],
> proto: UDP (17), length: 64) 78.159.108.25.25345 >
> 156.154.70.22.domain:
> [no cksum]  10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 (36)
>
>
> --
> Link King
> link.king at neustar.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list