[nsp-sec] Assistance requested: Spoofed DNS AMP from 174.128.240.179, 20-30Gbps
Stephen Gill
gillsr at cymru.com
Thu Sep 27 00:06:32 EDT 2012
Hi Team,
Would you kindly take a moment to see if you are transiting any spoofed
DNS queries from this IP: 174.128.240.179
If you are, we would love it if you would consider RPF on those links to
stop the spoofed traffic in its tracks. We're also looking for help in
finding what links the spoofed traffic is coming from.
There are about ~4000k recursive servers being used.
I noticed the famous L3 name servers are on the list as well.
http://www.cymru.com/nsp-sec/Owned/2012-09-26_recursive_ddos.txt
(*) Please let me know if you have trouble reading this file.
Right now the attack is down to about 100MBs but earlier in the day it was
closer to 20-30Gbps and is expected to pick up again tomorrow.
Attacks are using queries against ripe.net presently but have been moving
about.
Attack is as follows:
174.128.240.179 (Spoofed) -> Open Recursive ripe.net query ->
174.128.240.179
[ Š ]
ripe.net has AAAA address 2001:67c:2e8:22::c100:68b
ripe.net mail exchanger = 250 postlady.ripe.net.
ripe.net mail exchanger = 200 postgirl.ripe.net.
ripe.net rdata_46 = AAAA 5 2 300 20121026140118 20120926130118
51921 ripe.net. AZE/LCWvsmJfz3GamDDIw9SB8jbKnG6nOotSSAO50O2cmEI6+zDjCuST
JxDUik4WRQYLLj0NazexPMU5mM+V/f55zs/zM4Y9m42MGI9qd6NBg5+d
5dak51OsE46ioV4DKtnNuckMcdCTVELDA6Miqy6F4eXibaqScfVo8F7j WJ4=
ripe.net rdata_46 = MX 5 2 300 20121026140118 20120926130118
51921 ripe.net. VBVbjTy67eahZJMbXuWXSAi3mNgf6A5v+vN/SiSQmd9yleZ6iMQbW3y8
KiWqH+nxIfMMhwZoAXzX4Qm1qnlPFNrCC8yoAbxTrDaghLQ8CuuJ6Mq7
5sKb3qB9NUKZYC/VpxCvLZJlHNXWsRLm3BJEMMT+JjvfK3cC5LJeHg6Q TAI=
ripe.net rdata_46 = DNSKEY 5 2 3600 20121026140118 20120926130118
47252 ripe.net. U2tPo8VZwGWHqGHqA0nKQJXrdo78MsqP7alIJ/mCcLw2+IUqnP74KjBT
wkA7mXAZjw6puLCIheizXB2JCPujssFgR8nXBdfqSxNMEgnEOqiYQaPW
xBhFhkqj3sZyhiaakfJH9JF7Ft9e7dVzNZ7dDLZBi2yd7uh9q2zsLECj
oRbvVUszUgA5u6FwTiO/RuH0w9h/xI22dofqYmaJDILKUmx8Dow58B/U
vAdzSHGrutvGcNYVkepdDnGVnL4LbwpV1+xCBMOdC6CKOyOptHYTRH5y
VoJdQ7RQ+VHEZcg/4K5JVGl2TwIHoR8Ts7A7uTnlKzC+/6Y5gXyzJDBr FqmsUw==
ripe.net rdata_46 = SOA 5 2 3600 20121026140118 20120926130118
51921 ripe.net. Khovmf8M4eLeNDMtxqfm48cTYlfmmTsQx+VJVpvvz85EVlQOpkJGKYG8
VKIgoUjPUhFhz3shOCdvsnN4HKVsBg6Nmnp2/51g7jkATOVScKijB1DL
pycZaZXn/8/e7dZp99ycvY93rnOgGucS98Lf2eLWw7Wj6ND/F3lIvM9H Izk=
ripe.net rdata_46 = NSEC 5 2 3600 20121026140118 20120926130118
51921 ripe.net. SFUMuxTjHiPu/A1ApCgxJvfvXXBLw9X3WWynnyS3t3mdQiZxH40lbcWd
weyFfafivv012QDHrqp4lRAzBkln1t13Ahg7x+DCKIl3VAL6U08L4LmQ
qZY+WNn5tRlqv734FpNKUhrgmx1/U+bG2tG1h42zWAPSOLHvyhyKvQ+E vDg=
ripe.net rdata_46 = NS 5 2 3600 20121026140118 20120926130118
51921 ripe.net. AKcYhXE3mj1Woq0Du+V7q9ne3koIYxlevlw9ZZeyf71R8tq+WCYUwEQE
S6sNLJMltYr5dnqlKrS8LO6sf3zuOLjNS4hiP8XbPx9m9hqUHM0Tc5dg
Ys6bZMdNDdwOYceipI9GHnz6Z1k3pEuaj/EDJo7IkC70jXn3B05Hkd3I PIw=
ripe.net rdata_46 = A 5 2 21600 20121026140118 20120926130118
51921 ripe.net. ADrlnLhkA5KBLbmAcBCMlVxppEbAgQgGQe/LSMm43Z8SkGA03z035aX1
zKdIBKqOu/L5u8vy63gdQtB7A95pz7zfGWXSWNQgobZDvGolGCZhv1g2
MKinKkKFecdttsji4np9SHnSJmsdgoZ0zxfb+vvgowecidBEW3Kery91 QDg=
ripe.net rdata_48 = 257 3 5
AwEAAYvSN85+QO+hX9oxpM/reYbMhZToSL/RL6+Su2GP18juZYB6YZ1h
k0XeU/qbCljym1t3wvO7WYi3u1a/Do2ZNrDPkKqTwneglzX2LYAXvDcQ
oj3MkaosIR/D2HgWSW4Fhpy714s52cdeeJRUJTfDl6IwP06rLrIwg3a9
pCS5y+xsky5h9y4gboQjeLlJR7lvkEmBxCaC/lBtWxW8esompnC2KbwI
vN3QqhTx85nhUPklGbOHFprVgJSjjVT/EaUL9bNzRD2oaOSTM7qqp+aa
eGM1N9BhhL6tMmmBmv+lZYqNNdBGwY8wdZOYRNWd09R4sJBwQfc33EgR gI3d6ZYL5E0=
ripe.net rdata_48 = 256 3 5
AwEAAXF/j3fzEk0ahrfvQ/o/LKWAOwH92C4yR/VXMkyv71SwzAp2fSon
hG2gyYMXnzF/eQoBcm3RjGR4cxM1nyYs84cHYTH04HprXNKSb2+J35lq
UPQhSuTxSQGjKC0E0pcnD2c3cUry2KNUTiCsdsYspq+lIk5j4bZ3/HJu 1MiZsIA1
ripe.net rdata_48 = 256 3 5
AwEAAXoA2whsqoABre7w3c2L5EjOHtZ3+14v2D2kzjeH7XEPT5e6kPcr
9NgPdoUEMkEtmbv4OZ+8q0JDxd96SHPDhVxG8Pg98hXkGBZKHmq7sKmm
tjMN8511YdjQ4m+9gAla0WSVGD8fdK88jqYiAnSG24ONk8JYxlSOoyog HwUZSGKZ
ripe.net rdata_48 = 257 3 5
AwEAAXf2xwi4s5Q1WHpQVy/kZGyY4BMyg8eJYbROOv3YyH1U8fDwmv6k
BVxWZntYtYUOU0rk+Y7vZCvSN1AcYy0/ZjL7cNlkc3Ordl2DialFHPI6
UbSQkIp3l/5fSWw5xnbnZ8KA7g3E6fkADNIEarMI4ARCWlouk8GpQHt1
1wNW1c65SWB8i958WZJ6LI0pOTNK+BIx8u98b+EVr7C08dPpr9V6Eu/7
3uiPsUqCyRqMLotRFBwK8KgvF9KO1c9MXjtmJxDT067oJoNBIK+gvSO9
QcGaRxuGEEFWvCbaTvgbK4E0OoIXRjZriJj8LXXLBEJen6N0iUzj8nqy XSCm5sNxrRk=
ripe.net rdata_47 = 256cns.ripe.net. A NS SOA MX AAAA RRSIG NSEC
DNSKEY
Name: ripe.net
Address: 193.0.6.139
ripe.net
origin = pri.authdns.ripe.net
mail addr = dns.ripe.net
serial = 1348668001
refresh = 3600
retry = 600
expire = 864000
minimum = 3600
ripe.net rdata_46 = DS 8 2 86400 20121002041542 20120925030542
61988 net. Bdhb1AG7XJ/okNNAi6OrprPDbLK+mvVLRSuTf2lnvCq6hdFfByf2y8ld
BCM7iJymtV8fqQfjIV+wc2mRr/Ol/oRzEvUiseCoEdulpp8b3iVpjaaK
xopi1SLdQDWuQbEvE5DdwfuZ5Ie6EypvP/YYy3lbtNEv8BFCf/hQ/d/B RwA=
ripe.net rdata_43 = 47252 5 1
02739F2DD39560789D73581AA60F0CDB6073A849
ripe.net rdata_43 = 47252 5 2
524DBB3B5CD028DA809F1A1B3BAFC06B62A170644F729C4CBD7E6CAB 1785ABD2
ripe.net nameserver = sns-pb.isc.org.
ripe.net nameserver = tinnie.arin.net.
ripe.net nameserver = pri.authdns.ripe.net.
ripe.net nameserver = sec1.apnic.net.
ripe.net nameserver = sec3.apnic.net.
ripe.net nameserver = ns3.nic.fr.
Authoritative answers can be found from:
ripe.net nameserver = sec3.apnic.net.
ripe.net nameserver = pri.authdns.ripe.net.
ripe.net nameserver = sec1.apnic.net.
ripe.net nameserver = tinnie.arin.net.
ripe.net nameserver = ns3.nic.fr.
ripe.net nameserver = sns-pb.isc.org.
postgirl.ripe.net internet address = 193.0.19.66
postgirl.ripe.net has AAAA address 2001:67c:2e8:11::c100:1342
postlady.ripe.net internet address = 193.0.19.65
postlady.ripe.net has AAAA address 2001:67c:2e8:11::c100:1341
ns3.nic.fr internet address = 192.134.0.49
ns3.nic.fr has AAAA address 2001:660:3006:1::1:1
sns-pb.isc.org internet address = 192.5.4.1
sns-pb.isc.org has AAAA address 2001:500:2e::1
tinnie.arin.net internet address = 199.212.0.53
tinnie.arin.net has AAAA address 2001:500:13::c7d4:35
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.team-cymru.org <http://www.team-cymru.org/> | +1 (847) 378-3323
| gillsr at cymru.com
More information about the nsp-security
mailing list