[nsp-sec] DNS and SNMP Reflection Attack Hosts
Krista Hickey
Krista.Hickey at cogeco.com
Mon Jun 24 13:32:47 EDT 2013
> Now, my question is - are these machines compromised or are they just acting as designed
I'm not sure but either way I'm fairly certain my residential customer did want the traffic be it malicious, accidental or by design :)
I don't have the time at the moment but from what I can see most of the hosts in the SNMP list were readily vomiting up everything when walked so probably not overly arduous to profile them but I suspect attackers just scan for responding hosts and compile lists so my guess is it's not a compromise and more an internal "Do we really need the world to snmpwalk this device?" conversation is necessary.
-----Original Message-----
From: Joel L. Rosenblatt [mailto:joel at columbia.edu]
Sent: Monday, June 24, 2013 12:39 PM
To: Krista Hickey
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DNS and SNMP Reflection Attack Hosts
Update
Of the 55 machines 53 are printers (HP, Dell, Xerox, Lexmark), one is offline now and 2 are V Bricks
Now, my question is - are these machines compromised or are they just acting as designed
Joel
Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
On Mon, Jun 24, 2013 at 12:13 PM, Joel L. Rosenblatt <joel at columbia.edu> wrote:
> Hi,
>
> I have been looking at the Columbia machines of this list and I notice
> that most of them are printers
>
> Is anyone else seeing this?
>
> Thanks,
> Joel
>
>
> Joel Rosenblatt, Director Network & Computer Security Columbia
> Information Security Office (CISO) Columbia University, 612 W 115th
> Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> On Mon, Jun 24, 2013 at 1:25 AM, Krista Hickey <Krista.Hickey at cogeco.com> wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>> [Apologies if this is a duplicate for you]
>>
>> File 622894 contains ~45K DNS resolvers observed attacking a host
>> June 19, 2013 (peak approx 1.5Gbps)
>>
>> File 3952583 contains ~28K SNMP resolvers observed attacking a
>> different host June 21, 2013 (peak approx 1Gbps)
>>
>> I was also working on an unrelated DNS reflection attack our hosts were participating in and in addition to usual isc.org queries I observed nukes.directedat.asia queries, I don't have many details on it at the moment but I think it speaks for itself and returns a fairly large record so perhaps someone from AS21928 T-Mobile may be interested, also found someone with thoughts on directedat.asia and some other suspect domains at http://dnsamplificationattacks.blogspot.nl/2013/06/domain-mydnsscanus.html which may be of interest.
>>
>> As before, details in the file, distribute as required for mitigation but no attribution please and if not necessary please strip target as well.
>>
>> Thanks
>> Krista
>> 7992
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
More information about the nsp-security
mailing list