[nsp-sec] Reflected DDoS Attack Targeting Sainsbury's

Mike Tancsa mike at sentex.net
Fri Mar 2 19:02:17 EST 2012 

On 3/2/2012 11:31 AM, Boehm, Paul wrote:
> 
> Can the nspsec community please check from which ASNs you receive UDP
> 
> All UDP traffic from source IP 62.25.72.2 is spoofed.

We are seeing a steady stream come in from Cogent AS174 out of Toronto,
Canada.


18:55:50.727152 IP (tos 0x0, ttl 121, id 31851, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 67.43.130.51.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.727621 IP (tos 0x0, ttl 121, id 31855, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 67.43.140.10.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859402 IP (tos 0x0, ttl 121, id 25720, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.152.146.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859594 IP (tos 0x0, ttl 121, id 25711, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.147.129.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859595 IP (tos 0x0, ttl 121, id 25731, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.157.111.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859600 IP (tos 0x0, ttl 121, id 25708, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.141.29.53: [no cksum] 952+ [1au] ANY? ripe.net.
ar: . OPT UDPsize=4096 OK (38)
18:55:50.859604 IP (tos 0x0, ttl 121, id 25717, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.141.17.53: [no cksum] 952+ [1au] ANY? ripe.net.
ar: . OPT UDPsize=4096 OK (38)
18:55:50.859803 IP (tos 0x0, ttl 121, id 25713, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.147.176.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859807 IP (tos 0x0, ttl 121, id 25724, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.157.29.53: [no cksum] 952+ [1au] ANY? ripe.net.
ar: . OPT UDPsize=4096 OK (38)
18:55:50.859908 IP (tos 0x0, ttl 121, id 25726, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.152.188.53: [no cksum] 952+ [1au] ANY?
ripe.net. ar: . OPT UDPsize=4096 OK (38)
18:55:50.859913 IP (tos 0x0, ttl 121, id 25732, offset 0, flags [none],
proto UDP (17), length 66)
    62.25.72.2.53 > 64.7.135.40.53: [no cksum] 952+ [1au] ANY? ripe.net.
ar: . OPT UDPsize=4096 OK (38)
18:55:50.865399 IP (tos 0x0, ttl 61, id 21090, offset 0, flags [DF],
proto UDP (17), length 273)


	---Mike



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the nsp-security mailing list