[nsp-sec] DDoS to 212.97.109.168 and 69.172.200.88
Chris Morrow
morrowc at ops-netman.net
Thu Sep 8 11:46:18 EDT 2011
On 09/08/11 11:31, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
>
> On 9/7/2011 5:32 PM, Mike Tancsa wrote:
>>> and lasted approx. 2-3 hours (not sure about the duration).
>>
>> 17:24:32.898553 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:32.898561 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:32.936402 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:32.938791 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:32.971383 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:32.978118 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:33.011356 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:33.011363 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:33.017839 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>> 17:24:33.017844 IP 216.114.79.43.53 > 67.43.130.51.53: 1875+ [1au] ANY? icann.org. (39)
>>
>> Not sure if at this point its all spoofed traffic or not, but I think it might be.
>
>
> More of it this morning. This time 69.172.200.88. Anyone know what
> they are trying to do ?
>
;; Query time: 39 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 8 11:41:59 2011
;; MSG SIZE rcvd: 3098
looks, to me, like a 'standard' dns reflection attack.. go icann +
dnssec + edns0!
DosArrest PEER1-DOSARREST-01 (NET-69-172-200-0-1) 69.172.200.0 -
69.172.201.255
Peer 1 Network Inc. PEER1-BLK-14 (NET-69-172-192-0-1) 69.172.192.0 -
69.172.255.255
harhar.. 'dosarrest' ... err, me thinks someone moved their 'service' to
a dos-mitigation company.
(passive-dns data included in case it helps?)
bidhere.com -> 69.172.200.88
www.tourbuzz.net -> 216.114.79.43
openhouse.showcasere.com -> 216.114.79.43
tour.tourbuzz.net -> 216.114.79.43
tours.tourbuzz.net -> 216.114.79.43
216.114.79.43 -> static-216.114.79.43.primarynetwork.com
phocoa.com -> 216.114.79.43
www.uhlsport.com -> 212.97.109.168
-chris
More information about the nsp-security
mailing list