[nsp-sec] ASN 36351 Softlayer Possible DoS
Young, Beth A.
youngba at more.net
Thu Oct 13 12:52:32 EDT 2011
We were experiencing DNS server problems this morning and as I started digging, I see the following traffic (unfortunately, we don't have any query logging enabled so I am limited to netflow data). Some of this was to Softlayer, some to Egyptian Vodafone, some to UK2. I believe we are "helping" by being a reflection amplifier.
I am running blind here so any information would be helpful. Whatever our part in this was, it ended around 10:45.
AS NUMBER PORT
START TIME STOP TIME SOURCE IP DESTINATION IP SRC DST PROT SRC DST PACKETS OCTETS
2011/10/13-09:31:41 2011/10/13-09:40:49 150.199.101.1 184.107.215.130 2572 32613 17 53 25345 63160 67843720
2011/10/13-09:39:49 2011/10/13-09:44:50 150.199.101.1 84.16.227.62 2572 28753 17 0 0 65250 81268470
2011/10/13-09:39:49 2011/10/13-09:44:50 150.199.101.1 83.170.103.139 2572 13213 17 0 0 442930 552929930
2011/10/13-09:39:49 2011/10/13-09:44:50 150.199.101.1 184.107.215.130 2572 32613 17 0 0 488840 610868690
2011/10/13-09:39:49 2011/10/13-09:44:50 150.199.101.1 184.107.215.130 2572 32613 17 53 25345 241870 362805000
2011/10/13-09:39:49 2011/10/13-09:44:50 150.199.101.1 184.154.43.2 2572 32475 17 0 0 454000 567673530
2011/10/13-09:39:49 2011/10/13-09:44:51 150.199.101.1 184.107.214.138 2572 32613 17 0 0 752470 941165100
.....
2011/10/13-10:28:15 2011/10/13-10:37:04 150.199.199.1 184.154.43.2 2572 32475 17 53 25345 297670 446505000
2011/10/13-10:28:15 2011/10/13-10:37:04 150.199.199.1 184.154.43.2 2572 32475 17 0 0 597340 751472250
2011/10/13-10:28:34 2011/10/13-10:31:37 150.199.101.1 46.23.64.5 2572 13213 17 0 0 38910 49032710
2011/10/13-10:28:35 2011/10/13-10:31:37 150.199.101.1 46.23.64.5 2572 13213 17 53 25345 19240 28860000
Beth
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tino Steward
Sent: Thursday, October 13, 2011 10:42 AM
To: NSP-Security
Subject: [nsp-sec] ASN 36351 Softlayer Possible DoS
----------- nsp-security Confidential --------
Softlayer,
We're seeing the below traffic if you need any assistance.
tino
1 67.228.254.4 UDP 53 1945671 pps 141.528 Mbps
2 67.228.255.5 UDP 53 1912759 pps 139.196 Mbps
3 67.228.255.5 TCP 53 SYN 1720053 pps 75.682 Mbps
4 67.228.254.4 TCP 53 SYN 1255602 pps 55.247 Mbps
--
Tino T. Steward SNA1 - Security & Abuse tsteward at us.ntt.net<mailto:tsteward at us.ntt.net>
NTT Communications Global IP Network Operations Center
214-853-7344 (Ph.) 214.800.7771 (Fax)
AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html
AUP online: http://www.ntt.net/library/pdf/AUP.pdf
Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.
Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Latest viruses: http://www.cert.org
Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. NTT America makes no warranty that this email is error or virus free. Thank you.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net<mailto:nsp-security at puck.nether.net>
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list