[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

Joel Rosenblatt joel at columbia.edu
Fri Nov 11 15:08:49 EST 2011 

Hi Donald,

No, I'm not seeing any errors

Joel

--On Friday, November 11, 2011 1:01 PM -0700 "Smith, Donald" <Donald.Smith at CenturyLink.com> wrote:

> Joel, did you see any icmp errors? I usually do in spoofed reflective dns attacks and I am not seeing any in this one so far.
> Rodney would you expect to see icmp errors in this type of attack? Since the resolvers are making "real" queries
>
> that maybe the a way to recognize this type of attack from netflow?
>
>
> (coffee != sleep) & (!coffee == sleep)
>  Donald.Smith at qwest.com
> ________________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
> Sent: Friday, November 11, 2011 12:43 PM
> To: Rodney Joffe; NSP-SEC List
> Subject: Re: [nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...
>
> ----------- nsp-security Confidential --------
>
> Hi,
>
> I'm seeing a lot of traffic coming from that address to one of our DNS servers at our medical center(156.111.60.150).  The machine 128.59.176.4 is a dns
> server at our law school:
>
> 2011/11/11 13:37:54 72.52.2.1.53 -> 156.111.60.150.60142 17 1 135
> 2011/11/11 13:37:55 72.52.2.1.53 -> 156.111.60.150.40237 17 1 80
> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.24350 17 1 104
> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.5783 17 1 104
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.29470 17 1 238
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64248 17 1 612
> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64928 17 1 124
> 2011/11/11 13:38:26 72.52.2.1.53 -> 156.111.60.150.31571 17 1 124
> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.57693 17 1 141
> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.62924 17 1 340
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.1996 17 1 133
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.31700 17 1 360
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.34524 17 1 151
> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.4808 17 1 299
> 2011/11/11 13:38:33 72.52.2.1.53 -> 156.111.60.150.50592 17 1 648
> 2011/11/11 13:38:34 72.52.2.1.53 -> 156.111.70.150.7487 17 1 132
> 2011/11/11 13:38:58 72.52.2.1.53 -> 156.111.60.150.57473 17 1 146
> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.60.150.29184 17 1 133
> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.70.150.44407 17 1 133
> 2011/11/11 13:39:03 72.52.2.1.53 -> 156.111.60.150.26121 17 1 253
> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.2889 17 1 121
> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.52539 17 1 261
> 2011/11/11 13:39:05 72.52.2.1.53 -> 156.111.60.150.17358 17 1 137
> 2011/11/11 13:39:06 72.52.2.1.53 -> 156.111.60.150.22962 17 1 133
> 2011/11/11 13:39:07 72.52.2.1.53 -> 156.111.60.150.26432 17 1 364
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.29476 17 1 243
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.39218 17 1 147
> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.45585 17 1 129
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.54251 17 1 243
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.64252 17 1 642
> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.8245 17 1 129
> 2011/11/11 13:39:40 128.59.59.92.47017 -> 72.52.2.1.53 17 1 81
> 2011/11/11 13:39:40 72.52.2.1.53 -> 128.59.59.92.47017 17 1 312
> 2011/11/11 13:39:46 156.111.60.150.31983 -> 72.52.2.1.53 17 1 78
> 2011/11/11 13:39:46 72.52.2.1.53 -> 156.111.60.150.31983 17 1 249
> 2011/11/11 13:39:47 156.111.60.150.25478 -> 72.52.2.1.53 17 1 78
> 2011/11/11 13:39:47 72.52.2.1.53 -> 128.59.62.11.49354 17 1 125
> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.25478 17 1 246
> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.32755 17 1 132
> 2011/11/11 13:39:48 72.52.2.1.53 -> 156.111.60.150.41522 17 1 133
> 2011/11/11 13:39:52 72.52.2.1.53 -> 156.111.70.150.22179 17 1 334
> 2011/11/11 13:39:55 72.52.2.1.53 -> 156.111.70.150.21811 17 1 125
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.11791 17 1 126
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.29742 17 1 250
> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.31010 17 1 144
> 2011/11/11 13:39:57 72.52.2.1.53 -> 156.111.70.150.12482 17 1 252
> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.48805 17 1 115
> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.55493 17 1 240
> 2011/11/11 13:40:04 72.52.2.1.53 -> 156.111.60.150.63638 17 1 354
> 2011/11/11 13:40:07 72.52.2.1.53 -> 156.111.70.150.13514 17 1 388
> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.22648 17 1 652
> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.62223 17 1 388
> 2011/11/11 13:40:10 128.59.59.92.62717 -> 72.52.2.1.53 17 1 69
> 2011/11/11 13:40:10 72.52.2.1.53 -> 128.59.59.92.62717 17 1 330
> 2011/11/11 13:40:17 128.59.176.4.10765 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.24265 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.33252 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 128.59.176.4.56282 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.10765 17 1 244
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.24265 17 1 148
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.33252 17 1 262
> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.56282 17 1 130
> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.34277 17 1 246
> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.43712 17 1 132
> 2011/11/11 13:40:24 128.59.176.100.10328 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:24 128.59.176.100.25559 -> 72.52.2.1.53 17 1 83
> 2011/11/11 13:40:24 156.111.60.150.13402 -> 72.52.2.1.53 17 1 76
> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.13402 17 1 130
> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.52542 17 1 128
> 2011/11/11 13:40:25 128.59.59.92.17966 -> 72.52.2.1.53 17 1 75
> 2011/11/11 13:40:25 156.111.70.150.16256 -> 72.52.2.1.53 17 1 68
> 2011/11/11 13:40:25 72.52.2.1.53 -> 128.59.59.92.17966 17 1 333
> 2011/11/11 13:40:25 72.52.2.1.53 -> 156.111.70.150.16256 17 1 275
> 2011/11/11 13:40:26 128.59.28.168.15583 -> 72.52.2.1.53 17 1 65
> 2011/11/11 13:40:26 128.59.28.168.63769 -> 72.52.2.1.53 6 5 265
> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.15583 17 1 65
> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.63769 6 3 402
> 2011/11/11 13:40:27 128.59.28.168.4270 -> 72.52.2.1.53 17 1 69
> 2011/11/11 13:40:27 72.52.2.1.53 -> 128.59.28.168.4270 17 1 300
> 2011/11/11 13:40:28 72.52.2.1.53 -> 156.111.60.150.33723 17 1 275
> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.20972 17 1 238
> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.43183 17 1 124
> 2011/11/11 13:40:31 72.52.2.1.53 -> 156.111.60.150.3208 17 1 126
> 2011/11/11 13:40:32 72.52.2.1.53 -> 156.111.60.150.36908 17 1 239
> 2011/11/11 13:40:33 72.52.2.1.53 -> 156.111.60.150.36686 17 1 126
>
> There is more just like this if you need it
>
> Thanks,
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
>
> --On Friday, November 11, 2011 2:21 PM -0500 Rodney Joffe <rjoffe at centergate.com> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> First, sorry for duplicate posting if you see this twice.
>>
>> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>>
>> Not because of the volume, but because of the profile.
>>
>> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and
>> we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>>
>> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>>
>> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>>
>> Could you please look at your flows for traffic headed towards that IP address?
>>
>> The attack is under way now..
>>
>> Thanks
>> Rodney
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
>> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
>> =9j8c
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

More information about the nsp-security mailing list