[nsp-sec] DDoS to Internap DNS Servers

Chip Gwyn cgwyn at internap.com
Thu Apr 26 19:13:05 EDT 2012 

Here's a list of IP's I scraped from netflow data.  These were the top
flow/octets sources during the time frame we were getting hit.  I can't
claim with a high level of reliability that these are sources with
malicious traffic but were some of the top talkers at least if anyone feels
like poking around on their networks. The traffic has subsided for now,
however.

Thanks to all who responded, much appreciated!

--chip


36351   | 50.22.1.40       | SOFTLAYER - SoftLayer Technologies Inc.
36351   | 50.22.11.55      | SOFTLAYER - SoftLayer Technologies Inc.
36351   | 50.23.232.67     | SOFTLAYER - SoftLayer Technologies Inc.
15244   | 67.210.105.32    | ADDD2NET-COM-INC-DBA-LUNARPAGES - Lunar Pages
46475   | 74.63.253.152    | LIMESTONENETWORKS - Limestone Networks, Inc.
20773   | 80.246.53.10     | HOSTEUROPE-AS Host Europe GmbH
8624    | 81.90.65.42      | TENUE-AS Tenue Oy
16276   | 91.121.136.80    | OVH OVH Systems
16276   | 94.23.26.58      | OVH OVH Systems
21788   | 108.175.148.52   | NOC - Network Operations Center Inc.
36351   | 174.36.23.198    | SOFTLAYER - SoftLayer Technologies Inc.
21844   | 174.120.146.186  | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
16276   | 176.31.87.205    | OVH OVH Systems
20773   | 178.77.83.2      | HOSTEUROPE-AS Host Europe GmbH
8315    | 194.165.34.157   | ARGEWEB-AS Argeweb B.V.
19066   | 209.188.90.49    | WIREDTREE - Cogswell Enterprises Inc.
8256    | 212.191.5.121    | LODMAN-AS Metropolitan Area Network LODMAN
33182   | 66.7.199.26      | DIMENOC---HOSTDIME - HostDime.com, Inc.
25151   | 85.158.203.167   | CYSO-AS Cyso Hosting B.V., Alkmaar, The
Netherlands
25151   | 93.94.226.27     | CYSO-AS Cyso Hosting B.V., Alkmaar, The
Netherlands
8972    | 188.138.0.169    | PLUSSERVER-AS intergenia AG
53525   | 199.16.155.172   | VCOMP - Venture Computers of Canada
17917   | 202.164.36.10    | QTLTELECOM-AS-AP Quadrant Televentures Limited
35916   | 204.13.153.6     | MULTA-ASN1 - MULTACOM CORPORATION




On Thu, Apr 26, 2012 at 4:18 PM, Nicholas Ianelli <
ni at allyourinfoarebelongto.us> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > We're seeing mostly udp port 53, but in large volumes.  We're also
> > noticing source port 33333 for a good number of sources.  If some
> > folks could poke around, it would be much appreciated. Packet
> > contents seem to indicate queries for AAAAAAAAA, so they are
> > bogus.
>
> Sounds like a very common pattern. Last time I tracked one of these
> (few months ago), it was tied to compromised web servers. You have any
> source IPs to quickly investigate (despite being port 53/UDP, the
> previous attacks were not spoofed)?
>
> The C2 would send out commands that would include who to target and
> for what length of time. There wasn't a constant check-in, so it was
> extremely difficult to find.
>
> Cheers,
> Nick
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAk+ZrbAACgkQi10dJIBjZIDb3QCfXOBIQtORY51B9on1y+UDGWBv
> y04AnAoRPnRCfqS72bvkly3ujQslZ1uD
> =ITt0
> -----END PGP SIGNATURE-----
>



-- 

--chip


Chip Gwyn | IP Network Architecture
---------------------------------------------------------------
Phone 404.302.9976
cgwyn at internap.com  *  www.internap.com

INTERNAP
connectivity | colocation | managed hosting | cloud

One Ravinia Drive . Suite 1300 . Atlanta . GA . 30346

More information about the nsp-security mailing list