[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

Smith, Donald Donald.Smith at CenturyLink.com
Fri Nov 11 15:01:56 EST 2011 

Joel, did you see any icmp errors? I usually do in spoofed reflective dns attacks and I am not seeing any in this one so far.
Rodney would you expect to see icmp errors in this type of attack? Since the resolvers are making "real" queries

that maybe the a way to recognize this type of attack from netflow?


(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
Sent: Friday, November 11, 2011 12:43 PM
To: Rodney Joffe; NSP-SEC List
Subject: Re: [nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

----------- nsp-security Confidential --------

Hi,

I'm seeing a lot of traffic coming from that address to one of our DNS servers at our medical center(156.111.60.150).  The machine 128.59.176.4 is a dns server
at our law school:

2011/11/11 13:37:54 72.52.2.1.53 -> 156.111.60.150.60142 17 1 135
2011/11/11 13:37:55 72.52.2.1.53 -> 156.111.60.150.40237 17 1 80
2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.24350 17 1 104
2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.5783 17 1 104
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.29470 17 1 238
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64248 17 1 612
2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64928 17 1 124
2011/11/11 13:38:26 72.52.2.1.53 -> 156.111.60.150.31571 17 1 124
2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.57693 17 1 141
2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.62924 17 1 340
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.1996 17 1 133
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.31700 17 1 360
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.34524 17 1 151
2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.4808 17 1 299
2011/11/11 13:38:33 72.52.2.1.53 -> 156.111.60.150.50592 17 1 648
2011/11/11 13:38:34 72.52.2.1.53 -> 156.111.70.150.7487 17 1 132
2011/11/11 13:38:58 72.52.2.1.53 -> 156.111.60.150.57473 17 1 146
2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.60.150.29184 17 1 133
2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.70.150.44407 17 1 133
2011/11/11 13:39:03 72.52.2.1.53 -> 156.111.60.150.26121 17 1 253
2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.2889 17 1 121
2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.52539 17 1 261
2011/11/11 13:39:05 72.52.2.1.53 -> 156.111.60.150.17358 17 1 137
2011/11/11 13:39:06 72.52.2.1.53 -> 156.111.60.150.22962 17 1 133
2011/11/11 13:39:07 72.52.2.1.53 -> 156.111.60.150.26432 17 1 364
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.29476 17 1 243
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.39218 17 1 147
2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.45585 17 1 129
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.54251 17 1 243
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.64252 17 1 642
2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.8245 17 1 129
2011/11/11 13:39:40 128.59.59.92.47017 -> 72.52.2.1.53 17 1 81
2011/11/11 13:39:40 72.52.2.1.53 -> 128.59.59.92.47017 17 1 312
2011/11/11 13:39:46 156.111.60.150.31983 -> 72.52.2.1.53 17 1 78
2011/11/11 13:39:46 72.52.2.1.53 -> 156.111.60.150.31983 17 1 249
2011/11/11 13:39:47 156.111.60.150.25478 -> 72.52.2.1.53 17 1 78
2011/11/11 13:39:47 72.52.2.1.53 -> 128.59.62.11.49354 17 1 125
2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.25478 17 1 246
2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.32755 17 1 132
2011/11/11 13:39:48 72.52.2.1.53 -> 156.111.60.150.41522 17 1 133
2011/11/11 13:39:52 72.52.2.1.53 -> 156.111.70.150.22179 17 1 334
2011/11/11 13:39:55 72.52.2.1.53 -> 156.111.70.150.21811 17 1 125
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.11791 17 1 126
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.29742 17 1 250
2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.31010 17 1 144
2011/11/11 13:39:57 72.52.2.1.53 -> 156.111.70.150.12482 17 1 252
2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.48805 17 1 115
2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.55493 17 1 240
2011/11/11 13:40:04 72.52.2.1.53 -> 156.111.60.150.63638 17 1 354
2011/11/11 13:40:07 72.52.2.1.53 -> 156.111.70.150.13514 17 1 388
2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.22648 17 1 652
2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.62223 17 1 388
2011/11/11 13:40:10 128.59.59.92.62717 -> 72.52.2.1.53 17 1 69
2011/11/11 13:40:10 72.52.2.1.53 -> 128.59.59.92.62717 17 1 330
2011/11/11 13:40:17 128.59.176.4.10765 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.24265 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.33252 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 128.59.176.4.56282 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.10765 17 1 244
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.24265 17 1 148
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.33252 17 1 262
2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.56282 17 1 130
2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.34277 17 1 246
2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.43712 17 1 132
2011/11/11 13:40:24 128.59.176.100.10328 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:24 128.59.176.100.25559 -> 72.52.2.1.53 17 1 83
2011/11/11 13:40:24 156.111.60.150.13402 -> 72.52.2.1.53 17 1 76
2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.13402 17 1 130
2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.52542 17 1 128
2011/11/11 13:40:25 128.59.59.92.17966 -> 72.52.2.1.53 17 1 75
2011/11/11 13:40:25 156.111.70.150.16256 -> 72.52.2.1.53 17 1 68
2011/11/11 13:40:25 72.52.2.1.53 -> 128.59.59.92.17966 17 1 333
2011/11/11 13:40:25 72.52.2.1.53 -> 156.111.70.150.16256 17 1 275
2011/11/11 13:40:26 128.59.28.168.15583 -> 72.52.2.1.53 17 1 65
2011/11/11 13:40:26 128.59.28.168.63769 -> 72.52.2.1.53 6 5 265
2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.15583 17 1 65
2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.63769 6 3 402
2011/11/11 13:40:27 128.59.28.168.4270 -> 72.52.2.1.53 17 1 69
2011/11/11 13:40:27 72.52.2.1.53 -> 128.59.28.168.4270 17 1 300
2011/11/11 13:40:28 72.52.2.1.53 -> 156.111.60.150.33723 17 1 275
2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.20972 17 1 238
2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.43183 17 1 124
2011/11/11 13:40:31 72.52.2.1.53 -> 156.111.60.150.3208 17 1 126
2011/11/11 13:40:32 72.52.2.1.53 -> 156.111.60.150.36908 17 1 239
2011/11/11 13:40:33 72.52.2.1.53 -> 156.111.60.150.36686 17 1 126

There is more just like this if you need it

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3



--On Friday, November 11, 2011 2:21 PM -0500 Rodney Joffe <rjoffe at centergate.com> wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> First, sorry for duplicate posting if you see this twice.
>
> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>
> Not because of the volume, but because of the profile.
>
> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and
> we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>
> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>
> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>
> Could you please look at your flows for traffic headed towards that IP address?
>
> The attack is under way now..
>
> Thanks
> Rodney
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
> =9j8c
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list