[nsp-sec] Perfect DNS DDoS against EasyDNS - help wanted...
Hank Nussbacher
hank at efes.iucc.ac.il
Sat Nov 12 11:37:44 EST 2011
On Fri, 11 Nov 2011, Rodney Joffe wrote:
Not much here:
petach-tikva-gp#sho ip cache flow | incl 72.52.2.1
Gi9/34 132.64.1.249 72.52.2.1 udp 54844
dns 1
-Hank
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> First, sorry for duplicate posting if you see this twice.
>
> Second, it looks like EasyDNS is undergoing what I wrote that paper about in 2004 - a tough DDoS.
>
> Not because of the volume, but because of the profile.
>
> EasyDNS is seeing queries from valid current recursive servers for domains they are *not* authoritative for. However, we looked at our recursive servers and we are not seeing any queries from us, but we are seeing responses from EasyDNS.
>
> Easy is currently mitigating via Prolexic - this is the third in 24 hours. However, they're interested in getting help from us (you).
>
> The queries are being made to 72.52.2.1, and are in the form LLLgames.com where LLL is a random 3 letters.
>
> Could you please look at your flows for traffic headed towards that IP address?
>
> The attack is under way now..
>
> Thanks
> Rodney
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iEYEARECAAYFAk69ddcACgkQRrelm2onc7AoZgCeI9T7yL9NPp2gt4NWvoGuwpTP
> w68AnA2Vdcz097b+sKlsh7MUh+C+gVgL
> =9j8c
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list