[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

Fri Nov 11 14:43:36 EST 2011

Hi,

I'm seeing a lot of traffic coming from that address to one of our DNS servers at our medical center(156.111.60.150).  The machine 128.59.176.4 is a dns server 
at our law school:

2011/11/11 13:37:54 72.52.2.1.53 -> 156.111.60.150.60142 17 1 135
2011/11/11 13:37:55 72.52.2.1.53 -> 156.111.60.150.40237 17 1 80
2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.24350 17 1 104
2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.5783 17 1 104
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.29470 17 1 238
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64248 17 1 612
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64928 17 1 124
2011/11/11 13:38:26 72.52.2.1.53 -> 156.111.60.150.31571 17 1 124
2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.57693 17 1 141
2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.62924 17 1 340
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.1996 17 1 133
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.31700 17 1 360
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.34524 17 1 151
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.4808 17 1 299
2011/11/11 13:38:33 72.52.2.1.53 -> 156.111.60.150.50592 17 1 648
2011/11/11 13:38:34 72.52.2.1.53 -> 156.111.70.150.7487 17 1 132
2011/11/11 13:38:58 72.52.2.1.53 -> 156.111.60.150.57473 17 1 146
2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.60.150.29184 17 1 133
2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.70.150.44407 17 1 133
2011/11/11 13:39:03 72.52.2.1.53 -> 156.111.60.150.26121 17 1 253
2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.2889 17 1 121
2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.52539 17 1 261
2011/11/11 13:39:05 72.52.2.1.53 -> 156.111.60.150.17358 17 1 137
2011/11/11 13:39:06 72.52.2.1.53 -> 156.111.60.150.22962 17 1 133
2011/11/11 13:39:07 72.52.2.1.53 -> 156.111.60.150.26432 17 1 364
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.29476 17 1 243
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.39218 17 1 147
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.45585 17 1 129
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.54251 17 1 243
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.64252 17 1 642
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.8245 17 1 129
2011/11/11 13:39:40 128.59.59.92.47017 -> 72.52.2.1.53 17 1 81
2011/11/11 13:39:40 72.52.2.1.53 -> 128.59.59.92.47017 17 1 312
2011/11/11 13:39:46 156.111.60.150.31983 -> 72.52.2.1.53 17 1 78
2011/11/11 13:39:46 72.52.2.1.53 -> 156.111.60.150.31983 17 1 249
2011/11/11 13:39:47 156.111.60.150.25478 -> 72.52.2.1.53 17 1 78
2011/11/11 13:39:47 72.52.2.1.53 -> 128.59.62.11.49354 17 1 125
2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.25478 17 1 246
2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.32755 17 1 132
2011/11/11 13:39:48 72.52.2.1.53 -> 156.111.60.150.41522 17 1 133
2011/11/11 13:39:52 72.52.2.1.53 -> 156.111.70.150.22179 17 1 334
2011/11/11 13:39:55 72.52.2.1.53 -> 156.111.70.150.21811 17 1 125
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.11791 17 1 126
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.29742 17 1 250
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.31010 17 1 144
2011/11/11 13:39:57 72.52.2.1.53 -> 156.111.70.150.12482 17 1 252
2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.48805 17 1 115
2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.55493 17 1 240
2011/11/11 13:40:04 72.52.2.1.53 -> 156.111.60.150.63638 17 1 354
2011/11/11 13:40:07 72.52.2.1.53 -> 156.111.70.150.13514 17 1 388
2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.22648 17 1 652
2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.62223 17 1 388
2011/11/11 13:40:10 128.59.59.92.62717 -> 72.52.2.1.53 17 1 69
2011/11/11 13:40:10 72.52.2.1.53 -> 128.59.59.92.62717 17 1 330
2011/11/11 13:40:17 128.59.176.4.10765 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.24265 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.33252 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.56282 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.10765 17 1 244
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.24265 17 1 148
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.33252 17 1 262
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.56282 17 1 130
2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.34277 17 1 246
2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.43712 17 1 132
2011/11/11 13:40:24 128.59.176.100.10328 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:24 128.59.176.100.25559 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:24 156.111.60.150.13402 -> 72.52.2.1.53 17 1 76
2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.13402 17 1 130
2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.52542 17 1 128
2011/11/11 13:40:25 128.59.59.92.17966 -> 72.52.2.1.53 17 1 75
2011/11/11 13:40:25 156.111.70.150.16256 -> 72.52.2.1.53 17 1 68
2011/11/11 13:40:25 72.52.2.1.53 -> 128.59.59.92.17966 17 1 333
2011/11/11 13:40:25 72.52.2.1.53 -> 156.111.70.150.16256 17 1 275
2011/11/11 13:40:26 128.59.28.168.15583 -> 72.52.2.1.53 17 1 65
2011/11/11 13:40:26 128.59.28.168.63769 -> 72.52.2.1.53 6 5 265
2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.15583 17 1 65
2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.63769 6 3 402
2011/11/11 13:40:27 128.59.28.168.4270 -> 72.52.2.1.53 17 1 69
2011/11/11 13:40:27 72.52.2.1.53 -> 128.59.28.168.4270 17 1 300
2011/11/11 13:40:28 72.52.2.1.53 -> 156.111.60.150.33723 17 1 275
2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.20972 17 1 238
2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.43183 17 1 124
2011/11/11 13:40:31 72.52.2.1.53 -> 156.111.60.150.3208 17 1 126
2011/11/11 13:40:32 72.52.2.1.53 -> 156.111.60.150.36908 17 1 239
2011/11/11 13:40:33 72.52.2.1.53 -> 156.111.60.150.36686 17 1 126

There is more just like this if you need it

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

--On Friday, November 11, 2011 2:21 PM -0500 Rodney Joffe <rjoffe at centergate.com> wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> First, sorry for duplicate posting if you see this twice.
>
> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>
> Not because of the volume, but because of the profile.
>
> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and
> we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>
> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>
> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>
> Could you please look at your flows for traffic headed towards that IP address?
>
> The attack is under way now..
>
> Thanks
> Rodney
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
> =9j8c
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3