[nsp-sec] DDoS to 212.97.109.168
Mike Tancsa
mike at sentex.net
Wed Sep 7 16:37:09 EDT 2011
On 9/7/2011 4:24 PM, Kurt Jaeger wrote:
> ----------- nsp-security Confidential --------
>
> Hello,
>
>> Can you please have a look for packet love (UDP, source port 53)
>> to 212.97.109.168 ?
>
> The attack of yesterday made a comeback.
>
> Can you look at the flows, try to find a source and filter this IP ?
> Thanks!
>
> It's announced from AS24766 (our partner, GBC.net), and currently
> only reachable via DTAG, due to cable works...
I have one DSL customer doing a constant DNS lookups of icann.org
16:28:52.337583 IP 67.43.130.51.53 > 212.97.109.168.53: 1875| 22/0/0 A
192.0.43.7, NS ns.icann.org., NS c.iana-servers.net., NS
a.iana-servers.net., NS d.iana-servers.net., NS b.iana-servers.net.,
SOA, MX pechora7.icann.org. 10, MX pechora8.icann.org. 10, MX
pechora1.icann.org. 10, MX pechora2.icann.org. 10, MX
pechora3.icann.org. 10, MX pechora4.icann.org. 10, MX
pechora5.icann.org. 10, MX pechora6.icann.org. 10, AAAA
2001:500:88:200::7, DS, DS, RRSIG, RRSIG, DNSKEY, DNSKEY (1132)
What time did the attack start. I can look at the flow logs for this
customer prior to see if I can find any hint of where the c&c is.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list