[nsp-sec] 23 Gbps DNS DDoS against Akamai

Gilmore, Patrick patrick at akamai.com
Tue Sep 18 22:53:30 EDT 2012 

The attack seems to be abating.  We're down to 6 Gbps and dropping.

Let's hope they don't resume any time soon.  If they do, I'll let you all know.  And either way, please clean the IP addresses listed.  A fresh list with ASN / organization is appended.

-- 
TTFN,
patrick

558     | 67.222.22.63     | NET2EZ - Net2EZ
1659    | 192.192.155.219  | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
2012    | 157.181.21.212   | ELTENET ELTENET
4657    | 203.117.178.12   | STARHUBINTERNET-AS StarHub Internet Exchange
4808    | 118.186.68.208   | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4812    | 114.80.245.137   | CHINANET-SH-AP China Telecom (Group)
4837    | 116.255.150.136  | CHINA169-BACKBONE CNCGROUP China169 Backbone
6400    | 200.88.112.60    | Compañía Dominicana de Teléfonos, C. por A. - CODETEL
7540    | 202.181.178.7    | HKCIX-AS-AP HongKong Commercial Internet Exchange
9198    | 178.91.94.6      | KAZTELECOM-AS JSC Kazakhtelecom
9394    | 222.59.180.75    | CRNET CHINA RAILWAY Internet(CRNET)
9811    | 58.30.226.145    | BJGY srit corp.,beijing.
9929    | 210.51.4.147     | CNCNET-CN China Netcom Corp.
12968   | 85.128.44.3      | CDP Crowley Data Poland, sp. z o.o.
13618   | 209.59.234.118   | CARONET-ASN - Carolina Internet, Ltd.
16010   | 80.241.247.195   | RUSTAVI2ONLINEAS Caucasus Online LLC
16265   | 85.17.231.237    | LEASEWEB LeaseWeb B.V.
16276   | 176.31.245.35    | OVH OVH Systems
16276   | 188.165.202.194  | OVH OVH Systems
17429   | 58.30.226.145    | BGCTVNET BEIJING GEHUA CATV NETWORK CO.LTD
18450   | 67.220.203.242   | WEBNX - WebNX
19066   | 96.30.29.128     | WIREDTREE - Cogswell Enterprises Inc.
20882   | 80.75.239.69     | INFORM-AS Inform Media Kft.
21219   | 93.183.204.25    | DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_
21229   | 212.40.65.18     | DRAVANET-AS Dravanet Co Ltd.
21844   | 174.120.70.155   | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21844   | 67.19.27.250     | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
23724   | 118.186.68.208   | CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
28788   | 62.133.206.72    | UNILOGICNET-AS Unilogic Networks B.V. Autonomous System
29134   | 217.31.57.177    | IGNUM-AS Ignum s.r.o.
29278   | 212.92.23.213    | DENINET-HU-AS Deninet KFT
30496   | 207.7.90.34      | COLO4 - Colo4, LLC
31815   | 205.186.141.33   | MEDIATEMPLE - Media Temple, Inc.
32392   | 76.162.253.103   | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32613   | 70.38.17.16      | IWEB-AS - iWeb Technologies Inc.
36351   | 159.253.137.106  | SOFTLAYER - SoftLayer Technologies Inc.
36351   | 74.86.183.201    | SOFTLAYER - SoftLayer Technologies Inc.
37943   | 116.255.150.136  | CNNIC-GIANT ZhengZhou GIANT Computer Network Technology Co., Ltd
41550   | 91.207.44.25     | HBUA-AS HostBizUa network
41828   | 91.185.193.184   | TUSMOBIL TUSMOBIL network
45538   | 112.78.2.180     | ODS-AS-VN Online data services
45538   | 112.78.2.2       | ODS-AS-VN Online data services
45538   | 112.78.6.45      | ODS-AS-VN Online data services
198030  | 91.228.236.4     | SHANTYR Private Entrepreneur Shantyr Yuriy


On Sep 18, 2012, at 21:42 , "Gilmore, Patrick" <patrick at akamai.com> wrote:

> This appears to be against Bank of America.
> 
> We're seeing
> 	* 500-byte and other sized UDP packets filled with "A".
> 	* Real DNS queries.
> 	* TCP SYN flood to port 53.
> 
> Below are some of the most common source / dest pairs, a packet of As, and a few other smatterings of info.  Anything anyone can do to stop this at the source would help.  Thanx.
> 
> -- 
> TTFN,
> patrick
> 
> 
> Destinations:
> 	ns10.bac.com 96.6.112.196
> 	ns11.bac.com 184.85.248.67
> 	ns12.bac.com 193.108.91.121
> 
> Top Attackers:
> 	58.30.226.145
> 	62.133.206.72
> 	67.19.27.250
> 	67.220.203.242
> 	67.222.22.63
> 	70.38.17.16
> 	74.86.183.201
> 	76.162.253.103
> 	80.241.247.195
> 	80.75.239.69
> 	85.128.44.3
> 	85.17.231.237
> 	91.185.193.184
> 	91.207.44.25
> 	91.228.236.4
> 	93.183.204.25
> 	96.30.29.128
> 	112.78.2.180
> 	112.78.2.2
> 	112.78.6.45
> 	114.80.245.137
> 	116.255.150.136
> 	118.186.68.208
> 	157.181.21.212
> 	159.253.137.106
> 	174.120.70.155
> 	176.31.245.35
> 	178.91.94.6
> 	188.165.202.194
> 	192.192.155.219
> 	200.88.112.60
> 	202.181.178.7
> 	203.117.178.12
> 	205.186.141.33
> 	207.7.90.34
> 	209.59.234.118
> 	209.59.234.118
> 	210.51.4.147
> 	212.40.65.18
> 	212.92.23.213
> 	217.31.57.177
> 	222.59.180.75
> 
> 00:58:59.903927 IP 80.241.247.195.39088 > 96.6.112.196.53:  16705 op8+ [b2&3=0x4141] [16705a] [16705q] [16705n] [16705au][|domain]
>     0x0000:  4508 0587 f82d 4000 2e11 35b1 50f1 f7c3  E....- at ...5.P...
>     0x0010:  6006 70c4 98b0 0035 0573 5bfd 4141 4141  `.p....5.s[.AAAA
>     0x0020:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0030:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0040:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0050:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0060:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0070:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0080:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0090:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00a0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00b0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00c0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00d0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00e0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x00f0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0100:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0110:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0120:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0130:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0140:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0150:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0160:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0170:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0180:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x0190:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01a0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01b0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01c0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01d0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01e0:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
>     0x01f0:  4141                                     AA
> 
> Offset from top of IP packet 0x001c =  0x41414141
> 
> dst 96.6.112.196 dst port 53, proto udp, total length > 512
> 
> Offset 2=0x0587
> 
> 
> * Seeing "Unparsed header count wrong" coming from some IP addresses; attack may be attempting to fill the pipe with garbage packets.  
> - DNS server: 23.62.229.69
> - Attacking IP: 190.54.12.101: SANTIAGO, CL (ADX_S.A. @ adx.cl AS 6429)
> - 112.78.2.184: TRUONGDINH, VN (Cong_ty_Co_phan_Dich_vu_du_lieu_Truc_tuyen @ vdrs.net AS 45538)
>

More information about the nsp-security mailing list