[nsp-sec] DDoS to 212.97.109.168 and 69.172.200.88

Mike Tancsa mike at sentex.net
Thu Sep 8 11:31:15 EDT 2011 

On 9/7/2011 5:32 PM, Mike Tancsa wrote:
>> and lasted approx. 2-3 hours (not sure about the duration).
> 
> 17:24:32.898553 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:32.898561 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:32.936402 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:32.938791 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:32.971383 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:32.978118 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:33.011356 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:33.011363 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:33.017839 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 17:24:33.017844 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
> 
> Not sure if at this point its all spoofed traffic or not, but I think it might be.


More of it this morning.  This time  69.172.200.88.  Anyone know what
they are trying to do ?

09:29:21.005129 IP 67.43.130.51.51009 > 216.12.144.90.53: 16%
[b2&3=0x14] [21329a] [11106q] [12609n] [16705au][|domain]
09:29:21.031129 IP 216.12.144.90.53 > 67.43.130.51.51009: 32784%
[b2&3=0x14] [21329a] [11106q] [12609n] [16705au][|domain]
11:17:21.524764 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.580339 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.580347 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.680446 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.940246 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.957591 IP 67.43.130.51.53 > 69.172.200.88.53: 1875| 22/0/0 A
192.0.43.7, NS d.iana-servers.net., NS b.iana-servers.net., NS
ns.icann.org., NS a.iana-servers.net., NS c.iana-servers.net., SOA, MX
pechora2.icann.org. 10, MX pechora3.icann.org. 10, MX
pechora4.icann.org. 10, MX pechora5.icann.org. 10, MX
pechora6.icann.org. 10, MX pechora7.icann.org. 10, MX
pechora8.icann.org. 10, MX pechora1.icann.org. 10, AAAA
2001:500:88:200::7, DS, DS, RRSIG, RRSIG, DNSKEY, DNSKEY (1260)
11:17:21.972705 IP 67.43.130.51.53 > 69.172.200.88.53: 1875| 22/0/0 A
192.0.43.7, NS d.iana-servers.net., NS b.iana-servers.net., NS
ns.icann.org., NS a.iana-servers.net., NS c.iana-servers.net., SOA, MX
pechora2.icann.org. 10, MX pechora3.icann.org. 10, MX
pechora4.icann.org. 10, MX pechora5.icann.org. 10, MX
pechora6.icann.org. 10, MX pechora7.icann.org. 10, MX
pechora8.icann.org. 10, MX pechora1.icann.org. 10, AAAA
2001:500:88:200::7, DS, DS, RRSIG, RRSIG, DNSKEY, DNSKEY (1260)
11:17:21.979246 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:21.987323 IP 67.43.130.51.53 > 69.172.200.88.53: 1875| 22/0/1 A
192.0.43.7, NS d.iana-servers.net., NS b.iana-servers.net., NS
ns.icann.org., NS a.iana-servers.net., NS c.iana-servers.net., SOA, MX
pechora2.icann.org. 10, MX pechora3.icann.org. 10, MX
pechora4.icann.org. 10, MX pechora5.icann.org. 10, MX
pechora6.icann.org. 10, MX pechora7.icann.org. 10, MX
pechora8.icann.org. 10, MX pechora1.icann.org. 10, AAAA
2001:500:88:200::7, DS, DS, RRSIG, RRSIG, DNSKEY, DNSKEY (1271)
11:17:22.018204 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.095414 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.095422 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.095429 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.210731 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.364381 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.364386 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.364390 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.364394 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.555512 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.555516 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.555520 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.787748 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)
11:17:22.787753 IP 69.172.200.88.53 > 67.43.130.51.53: 1875+ [1au] ANY?
icann.org. (39)



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the nsp-security mailing list