[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...

Rodney Joffe rjoffe at centergate.com
Fri Nov 11 15:54:33 EST 2011 

PCAPs posted at http://thirteen.ca/.nov11/easydns11_11dos.zip

Send email to me for the password.

Attack is still in progress.

Note: this is an attack against EasyDNS, not Neustar. I am purely channelling the EasyDNS folks because they're not represented on the lists.


On Nov 11, 2011, at 3:08 PM, Joel Rosenblatt wrote:

> ----------- nsp-security Confidential --------
> 
> Hi Donald,
> 
> No, I'm not seeing any errors
> 
> Joel
> 
> --On Friday, November 11, 2011 1:01 PM -0700 "Smith, Donald" <Donald.Smith at CenturyLink.com> wrote:
> 
>> Joel, did you see any icmp errors? I usually do in spoofed reflective dns attacks and I am not seeing any in this one so far.
>> Rodney would you expect to see icmp errors in this type of attack? Since the resolvers are making "real" queries
>> 
>> that maybe the a way to recognize this type of attack from netflow?
>> 
>> 
>> (coffee != sleep) & (!coffee == sleep)
>> Donald.Smith at qwest.com
>> ________________________________________
>> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Joel Rosenblatt [joel at columbia.edu]
>> Sent: Friday, November 11, 2011 12:43 PM
>> To: Rodney Joffe; NSP-SEC List
>> Subject: Re: [nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...
>> 
>> ----------- nsp-security Confidential --------
>> 
>> Hi,
>> 
>> I'm seeing a lot of traffic coming from that address to one of our DNS servers at our medical center(156.111.60.150).  The machine 128.59.176.4 is a dns
>> server at our law school:
>> 
>> 2011/11/11 13:37:54 72.52.2.1.53 -> 156.111.60.150.60142 17 1 135
>> 2011/11/11 13:37:55 72.52.2.1.53 -> 156.111.60.150.40237 17 1 80
>> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.24350 17 1 104
>> 2011/11/11 13:37:58 72.52.2.1.53 -> 156.111.60.150.5783 17 1 104
>> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.29470 17 1 238
>> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64248 17 1 612
>> 2011/11/11 13:38:08 72.52.2.1.53 -> 156.111.60.150.64928 17 1 124
>> 2011/11/11 13:38:26 72.52.2.1.53 -> 156.111.60.150.31571 17 1 124
>> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.57693 17 1 141
>> 2011/11/11 13:38:29 72.52.2.1.53 -> 156.111.60.150.62924 17 1 340
>> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.1996 17 1 133
>> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.31700 17 1 360
>> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.34524 17 1 151
>> 2011/11/11 13:38:31 72.52.2.1.53 -> 156.111.60.150.4808 17 1 299
>> 2011/11/11 13:38:33 72.52.2.1.53 -> 156.111.60.150.50592 17 1 648
>> 2011/11/11 13:38:34 72.52.2.1.53 -> 156.111.70.150.7487 17 1 132
>> 2011/11/11 13:38:58 72.52.2.1.53 -> 156.111.60.150.57473 17 1 146
>> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.60.150.29184 17 1 133
>> 2011/11/11 13:39:01 72.52.2.1.53 -> 156.111.70.150.44407 17 1 133
>> 2011/11/11 13:39:03 72.52.2.1.53 -> 156.111.60.150.26121 17 1 253
>> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.2889 17 1 121
>> 2011/11/11 13:39:04 72.52.2.1.53 -> 156.111.60.150.52539 17 1 261
>> 2011/11/11 13:39:05 72.52.2.1.53 -> 156.111.60.150.17358 17 1 137
>> 2011/11/11 13:39:06 72.52.2.1.53 -> 156.111.60.150.22962 17 1 133
>> 2011/11/11 13:39:07 72.52.2.1.53 -> 156.111.60.150.26432 17 1 364
>> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.29476 17 1 243
>> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.39218 17 1 147
>> 2011/11/11 13:39:12 72.52.2.1.53 -> 156.111.60.150.45585 17 1 129
>> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.54251 17 1 243
>> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.64252 17 1 642
>> 2011/11/11 13:39:14 72.52.2.1.53 -> 156.111.60.150.8245 17 1 129
>> 2011/11/11 13:39:40 128.59.59.92.47017 -> 72.52.2.1.53 17 1 81
>> 2011/11/11 13:39:40 72.52.2.1.53 -> 128.59.59.92.47017 17 1 312
>> 2011/11/11 13:39:46 156.111.60.150.31983 -> 72.52.2.1.53 17 1 78
>> 2011/11/11 13:39:46 72.52.2.1.53 -> 156.111.60.150.31983 17 1 249
>> 2011/11/11 13:39:47 156.111.60.150.25478 -> 72.52.2.1.53 17 1 78
>> 2011/11/11 13:39:47 72.52.2.1.53 -> 128.59.62.11.49354 17 1 125
>> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.25478 17 1 246
>> 2011/11/11 13:39:47 72.52.2.1.53 -> 156.111.60.150.32755 17 1 132
>> 2011/11/11 13:39:48 72.52.2.1.53 -> 156.111.60.150.41522 17 1 133
>> 2011/11/11 13:39:52 72.52.2.1.53 -> 156.111.70.150.22179 17 1 334
>> 2011/11/11 13:39:55 72.52.2.1.53 -> 156.111.70.150.21811 17 1 125
>> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.11791 17 1 126
>> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.29742 17 1 250
>> 2011/11/11 13:39:56 72.52.2.1.53 -> 156.111.60.150.31010 17 1 144
>> 2011/11/11 13:39:57 72.52.2.1.53 -> 156.111.70.150.12482 17 1 252
>> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.48805 17 1 115
>> 2011/11/11 13:40:01 72.52.2.1.53 -> 156.111.60.150.55493 17 1 240
>> 2011/11/11 13:40:04 72.52.2.1.53 -> 156.111.60.150.63638 17 1 354
>> 2011/11/11 13:40:07 72.52.2.1.53 -> 156.111.70.150.13514 17 1 388
>> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.22648 17 1 652
>> 2011/11/11 13:40:08 72.52.2.1.53 -> 156.111.60.150.62223 17 1 388
>> 2011/11/11 13:40:10 128.59.59.92.62717 -> 72.52.2.1.53 17 1 69
>> 2011/11/11 13:40:10 72.52.2.1.53 -> 128.59.59.92.62717 17 1 330
>> 2011/11/11 13:40:17 128.59.176.4.10765 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:17 128.59.176.4.24265 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:17 128.59.176.4.33252 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:17 128.59.176.4.56282 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.10765 17 1 244
>> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.24265 17 1 148
>> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.33252 17 1 262
>> 2011/11/11 13:40:17 72.52.2.1.53 -> 128.59.176.4.56282 17 1 130
>> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.34277 17 1 246
>> 2011/11/11 13:40:23 72.52.2.1.53 -> 128.59.176.100.43712 17 1 132
>> 2011/11/11 13:40:24 128.59.176.100.10328 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:24 128.59.176.100.25559 -> 72.52.2.1.53 17 1 83
>> 2011/11/11 13:40:24 156.111.60.150.13402 -> 72.52.2.1.53 17 1 76
>> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.13402 17 1 130
>> 2011/11/11 13:40:24 72.52.2.1.53 -> 156.111.60.150.52542 17 1 128
>> 2011/11/11 13:40:25 128.59.59.92.17966 -> 72.52.2.1.53 17 1 75
>> 2011/11/11 13:40:25 156.111.70.150.16256 -> 72.52.2.1.53 17 1 68
>> 2011/11/11 13:40:25 72.52.2.1.53 -> 128.59.59.92.17966 17 1 333
>> 2011/11/11 13:40:25 72.52.2.1.53 -> 156.111.70.150.16256 17 1 275
>> 2011/11/11 13:40:26 128.59.28.168.15583 -> 72.52.2.1.53 17 1 65
>> 2011/11/11 13:40:26 128.59.28.168.63769 -> 72.52.2.1.53 6 5 265
>> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.15583 17 1 65
>> 2011/11/11 13:40:26 72.52.2.1.53 -> 128.59.28.168.63769 6 3 402
>> 2011/11/11 13:40:27 128.59.28.168.4270 -> 72.52.2.1.53 17 1 69
>> 2011/11/11 13:40:27 72.52.2.1.53 -> 128.59.28.168.4270 17 1 300
>> 2011/11/11 13:40:28 72.52.2.1.53 -> 156.111.60.150.33723 17 1 275
>> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.20972 17 1 238
>> 2011/11/11 13:40:30 72.52.2.1.53 -> 156.111.60.150.43183 17 1 124
>> 2011/11/11 13:40:31 72.52.2.1.53 -> 156.111.60.150.3208 17 1 126
>> 2011/11/11 13:40:32 72.52.2.1.53 -> 156.111.60.150.36908 17 1 239
>> 2011/11/11 13:40:33 72.52.2.1.53 -> 156.111.60.150.36686 17 1 126
>> 
>> There is more just like this if you need it
>> 
>> Thanks,
>> Joel Rosenblatt
>> 
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>> Public PGP key
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>> 
>> 
>> 
>> --On Friday, November 11, 2011 2:21 PM -0500 Rodney Joffe <rjoffe at centergate.com> wrote:
>> 
>>> ----------- nsp-security Confidential --------
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> First, sorry for duplicate posting if you see this twice.
>>> 
>>> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>>> 
>>> Not because of the volume, but because of the profile.
>>> 
>>> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and
>>> we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>>> 
>>> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>>> 
>>> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>>> 
>>> Could you please look at your flows for traffic headed towards that IP address?
>>> 
>>> The attack is under way now..
>>> 
>>> Thanks
>>> Rodney
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>> 
>>> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
>>> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
>>> =9j8c
>>> -----END PGP SIGNATURE-----
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>>> 
>> 
>> 
>> 
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>> Public PGP key
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>> 
>> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>> 
> 
> 
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list