[nsp-sec] Reflective DNS DDoS attacks icann.org dnssec Was: Re: DDoS to 212.97.109.168 and 69.172.200.88
Robert
robert at servalens.com
Fri Sep 16 12:36:41 EDT 2011
Has anyone still been working these incidents? I've seen two now since 9/10.
Has related malware or CNC been identified?
I've now seen two of these (>6000 queries/sec) in my infrastructure, but
with a twist.
The queries (dig +dnssec icann.org, EDNS0) appear to be sourcing from
real IPs (have seen over 90 and all don't appear to be spoofed).
The DNS servers receiving those queries are the proper set of DNS
servers for those 90 IPs.
I'm wondering if there is any possibility there is a malfunctioning bot
on those systems that is not properly filling in the correct spoofed
source IP (aka victim).
CNC info would be really helpful in ruling out the above theory.
Thank you,
Robert Danford
Verizon
On 09/11/2011 02:32 AM, Kurt Jaeger wrote:
> ----------- nsp-security Confidential --------
>
> Hi!
>
>> www.uhlsport.com -> 212.97.109.168
>
> Just FYI, tonight between 4 and 7 CEST the attack reappeared
> on the new IP of the website (212.97.105.25).
>
> So, the domain seems under repeated attack...
>
More information about the nsp-security
mailing list