[nsp-sec] bad boy on 93.170.92.210 AS2591
sthaug at nethelp.no
sthaug at nethelp.no
Thu Sep 13 10:04:27 EDT 2012
> 93.170.92.210 AS2591 is doing some bad DNS stuff.... not exactly sure what, but
> looks like
> it's scanning lots of address space for udp 53 and attempting dns poisioning.
>
> It's been busy polling our network for some time.
Interesting. We're seeing what looks like a spoofed source amplification
attack against 93.170.92.210:
16:02:43.640165 IP 93.170.92.210.80 > 83.242.17.63.53: 24205+ [1au] ANY? isc.org. (36)
16:02:43.645214 IP 93.170.92.210.80 > 83.242.29.80.53: 57692+ [1au] ANY? isc.org. (36)
16:02:43.661160 IP 93.170.92.210.80 > 85.221.64.81.53: 14838+ [1au] ANY? isc.org. (36)
16:02:43.662401 IP 93.170.92.210.80 > 85.221.64.81.53: 25284+ [1au] ANY? isc.org. (36)
16:02:43.671446 IP 93.170.92.210.80 > 109.163.201.20.53: 303+ [1au] ANY? isc.org. (36)
but also this traffic which I don't really understand:
16:03:21.766595 IP 93.170.92.210.40873 > 93.179.31.34.53: 5177+ A? www.irishindependentescorts. (48)
16:03:21.778938 IP 93.170.92.210.45349 > 46.46.198.89.53: 4784+ A? www.irishindependentescorts. (48)
16:03:21.786821 IP 93.170.92.210.11027 > 46.46.208.43.53: 5177+ A? www.irishindependentescorts. (48)
16:03:21.786902 IP 93.170.92.210.31824 > 93.179.17.18.53: 5177+ A? www.irishindependentescorts. (48)
16:03:21.788996 IP 93.170.92.210.34533 > 93.179.21.218.53: 5177+ A? www.irishindependentescorts. (48)
Steinar Haug, AS 2116
More information about the nsp-security
mailing list