[nsp-sec] DDoS Towards 37.26.106.206
sthaug at nethelp.no
sthaug at nethelp.no
Sat Jul 7 16:03:44 EDT 2012
> Our downstream customer, AS52148, has been under an attack of around 3Gbps for the last 7 or so hours.
>
> Traffic is UDP flood to 37.26.106.206. Whilst this prefix is null routed we are still seeing a lot of traffic hit us. I can see on sflow/netflow that this is coming from a large number of sources (probably spoofed).
>
> Would people please check their flows for any UDP traffic to 37.26.106.206 and take the appropriate action?
I can confirm that we (AS 2116) are seeing what are presumably spoofed
DNS queries from 37.26.106.206, e.g.
21:55:51.459074 IP 37.26.106.206.53 > 81.191.3.87.53: 952+ [1au] ANY? ripe.net. (38)
We are receiving this traffic from peers at Netnod in Stockholm.
We have blackholed the return traffic to 37.26.106.206 since around
17:50 local time (15:50 UTC).
Steinar Haug, AS 2116
More information about the nsp-security
mailing list