[nsp-sec] DDoS to 212.97.109.168
Mike Tancsa
mike at sentex.net
Wed Sep 7 17:32:49 EDT 2011
On 9/7/2011 4:45 PM, Kurt Jaeger wrote:
> Hi!
>
>>> The attack of yesterday made a comeback.
>
>> I have one DSL customer doing a constant DNS lookups of icann.org
>>
>> 16:28:52.337583 IP 67.43.130.51.53 > 212.97.109.168.53: 1875| 22/0/0 A
>> 192.0.43.7, NS ns.icann.org., NS c.iana-servers.net., NS
>> a.iana-servers.net., NS d.iana-servers.net., NS b.iana-servers.net.,
>> SOA, MX pechora7.icann.org. 10, MX pechora8.icann.org. 10, MX
>> pechora1.icann.org. 10, MX pechora2.icann.org. 10, MX
>> pechora3.icann.org. 10, MX pechora4.icann.org. 10, MX
>> pechora5.icann.org. 10, MX pechora6.icann.org. 10, AAAA
>> 2001:500:88:200::7, DS, DS, RRSIG, RRSIG, DNSKEY, DNSKEY (1132)
>>
>>
>> What time did the attack start. I can look at the flow logs for this
>> customer prior to see if I can find any hint of where the c&c is.
>
> Approx. 22:30 CEST today. The attack this morning started at 0:00 CEST
> and lasted approx. 2-3 hours (not sure about the duration).
Just prior and during the host attacking from here, my customer got odd traffic from 209.62.121.195 and 184.106.34.178
% ra -Zb -L0 -nr port53-dos.arg -s+ltime -t 15 - host 209.62.121.195 or host 184.106.34.178
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State LastTime
09-07 15:13:05.182 Ne udp 209.62.121.195.53 -> 67.43.130.51.53 5294 354698 INT 09-07 15:15:04.910000
09-07 15:39:55.589 Ne udp 184.106.34.178.53 -> 67.43.130.51.53 7795 522265 INT 09-07 15:41:48.153000
09-07 15:44:53.048 Ne udp 184.106.34.178.53 -> 67.43.130.51.53 8553 573051 INT 09-07 15:46:54.420000
Seems rather high for DNS traffic for this customer.
AS | IP | AS Name
21844 | 209.62.121.195 | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
19994 | 184.106.34.178 | RACKSPACE - Rackspace Hosting
The customer now seems to be abused by 216.114.79.43 with the same sort of DNS requests heading its way along with another target in my network.
AS | IP | AS Name
6428 | 216.114.79.43 | CDM - CDM
17:24:32.898553 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:32.898561 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:32.936402 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:32.938791 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:32.971383 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:32.978118 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:33.011356 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:33.011363 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:33.017839 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
17:24:33.017844 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
Not sure if at this point its all spoofed traffic or not, but I think it might be.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list