[nsp-sec] DNS and SNMP Reflection Attack Hosts

[Joel L. Rosenblatt]

Hi,

I have been looking at the Columbia machines of this list and I notice
that most of them are printers

Is anyone else seeing this?

Thanks,
Joel


Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Mon, Jun 24, 2013 at 1:25 AM, Krista Hickey <Krista.Hickey at cogeco.com> wrote:
> ----------- nsp-security Confidential --------
>
>
> [Apologies if this is a duplicate for you]
>
> File 622894 contains ~45K DNS resolvers observed attacking a host June 19, 2013 (peak approx 1.5Gbps)
>
> File 3952583 contains ~28K SNMP resolvers observed attacking a different host June 21, 2013 (peak approx 1Gbps)
>
> I was also working on an unrelated DNS reflection attack our hosts were participating in and in addition to usual isc.org queries I observed nukes.directedat.asia queries, I don't have many details on it at the moment but I think it speaks for itself and returns a fairly large record so perhaps someone from AS21928 T-Mobile may be interested, also found someone with thoughts on directedat.asia  and some other suspect domains at http://dnsamplificationattacks.blogspot.nl/2013/06/domain-mydnsscanus.html which may be of interest.
>
> As before, details in the file, distribute as required for mitigation but no attribution please and if not necessary please strip target as well.
>
> Thanks
> Krista
> 7992
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________