[nsp-sec] huge spikes in tcp 53. rackspace owns one of the ddos victims:(

Smith, Donald Donald.Smith at qwest.com
Wed Mar 16 17:19:49 EDT 2011 


I see a HUGE uptick on tcp 53 on feb 26th http://isc.sans.edu/port.html?port=53
date    records targets sources tcpratio
2011-02-26      171950  65816   6908    51

Up till that point it was nearly all udp 53 being reported.


So I did a 8 week and 52 week graph from our netflow system (arbor) on tcp 53.

On the 8 week graph you will see a HUGE increase (from ~0Mbs to 800Mbs of tcp 53) on January 23rd or so and another on March 10th or so.

So something out there is doing very bursty tcp 53 connections/scans.
#    IP
1263 61.161.141.4
 841 76.74.170.250
 797 76.74.170.249
 797 76.74.170.243
 791 76.74.170.245
 706 76.74.170.244
 705 76.74.170.248
 703 76.74.170.246
The first one is a .cn ip but then the next 7 are adobe?

Anyone know what's going on?
Is this some sort of research (dns via tcp?)

Did anyone else notice these huge increases?
The top one is doing full three way connections.
While the adobe ips are sending resets and coming in lots of different interfaces so that may be a spoofed syn flood with the victim being adobe.


Then we have this poor rackspace customer who is receiving 60 byte tcp syns from port 53 towards port 80.
Lots of different sources but all coming in a single interface.

0308.06:29:58.448  0308.06:29:58.448  185  207.20.48.169  53  153  72.3.226.217     80  6  2  1  60
0308.06:30:04.775  0308.06:30:04.775  185  102.172.111.185  53  153  72.3.226.217   80  6  2  1  60

I am sure that is spoofed since 102.172.111.185 isn't being routed:)

$ whois 102.172.111.185
Unknown AS number or IP network. Please upgrade this program.

smitdo at CO1700GSMITDO2 ~
$ whois -h whois.cymru.com 102.172.111.185
AS      | IP               | AS Name
NA      | 102.172.111.185  | NA

smitdo at CO1700GSMITDO2 ~
$ whois -h upstream-whois.cymru.com 102.172.111.185
PEER_AS | IP               | AS Name
NA      | 102.172.111.185  | NA

> traceroute 102.172.111.185
traceroute to 102.172.111.185 (102.172.111.185), 64 hops max, 52 byte packets
 1  min-core-02.inet.qwest.net (205.171.128.194)  0.240 ms !N  0.186 ms !N  0.18
5 ms !N



Sharing: Author's permission required.
Donald.Smith at qwest.com



This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list