[nsp-sec] CW ip doing some very weird DNS DDOS?

[Smith, Donald]

TTL==49 hop count from a system in our network was 12 so initial ttl was probably 64.
Very few current IP stacks would use a ITTL that low. Win95 did, some old UNIX versions did.

The flags are 23456789ABCDE are used by some windows for the content of echo requests but are invalid from a dns pov so it is not a reflective attack (at least I don't think it is).

It didn't reply to a dns query I sent it so it's not an open dns resolver.

It's a cable and wireless ip behind one of their bras.

10  alandick-brs-gw.lnt.mrs.cw.net (195.2.23.2)  116.150 ms  113.820 ms  113.678  ms
11  195.59.50.2 (195.59.50.2)  115.344 ms  115.537 ms  115.430 ms
12  195.59.50.107 (195.59.50.107)  115.249 ms  115.469 ms  115.187 ms

It was causing 8000 errors per second so we dropped this IP into a blacklist on our dns resolvers.
But something is definetly up and weird about that ip :(



"Pampers use multiple layers of protection to prevent leakage.
Rommel used defense in depth to defend European fortresses." (A.White)
Donald.Smith at CenturyLink.com



This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.