[nsp-sec] DNS and SNMP Reflection Attack Hosts
Joel L. Rosenblatt
joel at columbia.edu
Mon Jun 24 12:39:19 EDT 2013
Update
Of the 55 machines 53 are printers (HP, Dell, Xerox, Lexmark), one is
offline now and 2 are V Bricks
Now, my question is - are these machines compromised or are they just
acting as designed
Joel
Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
On Mon, Jun 24, 2013 at 12:13 PM, Joel L. Rosenblatt <joel at columbia.edu> wrote:
> Hi,
>
> I have been looking at the Columbia machines of this list and I notice
> that most of them are printers
>
> Is anyone else seeing this?
>
> Thanks,
> Joel
>
>
> Joel Rosenblatt, Director Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> On Mon, Jun 24, 2013 at 1:25 AM, Krista Hickey <Krista.Hickey at cogeco.com> wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>> [Apologies if this is a duplicate for you]
>>
>> File 622894 contains ~45K DNS resolvers observed attacking a host June 19, 2013 (peak approx 1.5Gbps)
>>
>> File 3952583 contains ~28K SNMP resolvers observed attacking a different host June 21, 2013 (peak approx 1Gbps)
>>
>> I was also working on an unrelated DNS reflection attack our hosts were participating in and in addition to usual isc.org queries I observed nukes.directedat.asia queries, I don't have many details on it at the moment but I think it speaks for itself and returns a fairly large record so perhaps someone from AS21928 T-Mobile may be interested, also found someone with thoughts on directedat.asia and some other suspect domains at http://dnsamplificationattacks.blogspot.nl/2013/06/domain-mydnsscanus.html which may be of interest.
>>
>> As before, details in the file, distribute as required for mitigation but no attribution please and if not necessary please strip target as well.
>>
>> Thanks
>> Krista
>> 7992
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
More information about the nsp-security
mailing list