[nsp-sec] 12-15 Gbps DNS Amplification attack against 31.222.133.87/32

[Mike Tancsa]

On 4/30/2013 9:40 AM, Tom Sands wrote:
> ----------- nsp-security Confidential --------
> 
> Just an update on this for more detail.
> 
> The captures that have been done so far indicated the following.
> 
> The source of the DNS queries are being spoofed as 31.222.133.87/32 (of
> course)
> Both the src and dst ports are 53 (rather than high source)
> All captures done so far show each target (amplifier) getting the same
> DNS query ID (not incrementing)
> All captures done so far show the domain being looked up as Arin.net

Hi,
	I am seeing the queries as the crowd favorite, ripe.net.  All the cruft
I was getting was via my cogent peer at 151 Front St. in Toronto.  pcap
available at http://www.tancsa.com/31.222.133.87.zip
passwd is AS11647addrs@

# tcpdump -nr 31.222.133.87.pcap | head
reading from file 31.222.133.87.pcap, link-type EN10MB (Ethernet)
10:16:15.177327 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.181982 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.202872 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.249468 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.254247 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.257528 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.275061 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.298533 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.322382 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
10:16:15.344655 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)


	---Mike




-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/