[nsp-sec] 23 Gbps DNS DDoS against Akamai
Gilmore, Patrick
patrick at akamai.com
Tue Sep 18 21:42:05 EDT 2012
This appears to be against Bank of America.
We're seeing
* 500-byte and other sized UDP packets filled with "A".
* Real DNS queries.
* TCP SYN flood to port 53.
Below are some of the most common source / dest pairs, a packet of As, and a few other smatterings of info. Anything anyone can do to stop this at the source would help. Thanx.
--
TTFN,
patrick
Destinations:
ns10.bac.com 96.6.112.196
ns11.bac.com 184.85.248.67
ns12.bac.com 193.108.91.121
Top Attackers:
58.30.226.145
62.133.206.72
67.19.27.250
67.220.203.242
67.222.22.63
70.38.17.16
74.86.183.201
76.162.253.103
80.241.247.195
80.75.239.69
85.128.44.3
85.17.231.237
91.185.193.184
91.207.44.25
91.228.236.4
93.183.204.25
96.30.29.128
112.78.2.180
112.78.2.2
112.78.6.45
114.80.245.137
116.255.150.136
118.186.68.208
157.181.21.212
159.253.137.106
174.120.70.155
176.31.245.35
178.91.94.6
188.165.202.194
192.192.155.219
200.88.112.60
202.181.178.7
203.117.178.12
205.186.141.33
207.7.90.34
209.59.234.118
209.59.234.118
210.51.4.147
212.40.65.18
212.92.23.213
217.31.57.177
222.59.180.75
00:58:59.903927 IP 80.241.247.195.39088 > 96.6.112.196.53: 16705 op8+ [b2&3=0x4141] [16705a] [16705q] [16705n] [16705au][|domain]
0x0000: 4508 0587 f82d 4000 2e11 35b1 50f1 f7c3 E....- at ...5.P...
0x0010: 6006 70c4 98b0 0035 0573 5bfd 4141 4141 `.p....5.s[.AAAA
0x0020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0140: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0150: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0160: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0170: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0180: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0190: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01f0: 4141 AA
Offset from top of IP packet 0x001c = 0x41414141
dst 96.6.112.196 dst port 53, proto udp, total length > 512
Offset 2=0x0587
* Seeing "Unparsed header count wrong" coming from some IP addresses; attack may be attempting to fill the pipe with garbage packets.
- DNS server: 23.62.229.69
- Attacking IP: 190.54.12.101: SANTIAGO, CL (ADX_S.A. @ adx.cl AS 6429)
- 112.78.2.184: TRUONGDINH, VN (Cong_ty_Co_phan_Dich_vu_du_lieu_Truc_tuyen @ vdrs.net AS 45538)
More information about the nsp-security
mailing list