[nsp-sec] bad boy on 93.170.92.210 AS2591
Steve Colam
sjc at eng.gxn.net
Thu Sep 13 11:40:33 EDT 2012
On Thu, 13 Sep 2012, sthaug at nethelp.no wrote:
>> 93.170.92.210 AS2591 is doing some bad DNS stuff.... not exactly sure what, but
>> looks like
>> it's scanning lots of address space for udp 53 and attempting dns poisioning.
>>
>> It's been busy polling our network for some time.
>
> Interesting. We're seeing what looks like a spoofed source amplification
> attack against 93.170.92.210:
>
> 16:02:43.640165 IP 93.170.92.210.80 > 83.242.17.63.53: 24205+ [1au] ANY? isc.org. (36)
[snip]
> 16:02:43.671446 IP 93.170.92.210.80 > 109.163.201.20.53: 303+ [1au] ANY? isc.org. (36)
>
> but also this traffic which I don't really understand:
>
> 16:03:21.766595 IP 93.170.92.210.40873 > 93.179.31.34.53: 5177+ A? www.irishindependentescorts. (48)
[snip]
> 16:03:21.788996 IP 93.170.92.210.34533 > 93.179.21.218.53: 5177+ A? www.irishindependentescorts. (48)
>
> Steinar Haug, AS 2116
>
Exactly the same here, most of the hosts it's trying to probe on our network are
open resolvers, and I guess the ones that aren't used to be.
We've had it blackholed for a few days.
S.
More information about the nsp-security
mailing list