[nsp-sec] DNS and SNMP Reflection Attack Hosts
Serge Droz
serge.droz at switch.ch
Tue Jun 25 03:19:44 EDT 2013
Ack ASNs: 9044, 8758, 8237, 8220, 6830, 6772, 6730, 559, 51852, 50837,
49457, 48971, 44038, 42346, 41872, 41715, 41549, 39544, 39440, 35518,
35223, 35097, 34781, 34578, 33965, 31736, 31662, 31424, 31124, 29691,
29551, 29245, 29201, 28749, 25375, 21466, 21232, 21040, 20914, 20634,
1836, 16221, 15716, 15623, 15600, 15576, 15547, 15517, 13030, 12620,
12350, 12333
Cheers
Serge
On 24.6.13 07:25 , Krista Hickey wrote:
> ----------- nsp-security Confidential --------
>
>
>
> [Apologies if this is a duplicate for you]
>
> File 622894 contains ~45K DNS resolvers observed attacking a host June 19, 2013 (peak approx 1.5Gbps)
>
> File 3952583 contains ~28K SNMP resolvers observed attacking a different host June 21, 2013 (peak approx 1Gbps)
>
> I was also working on an unrelated DNS reflection attack our hosts were participating in and in addition to usual isc.org queries I observed nukes.directedat.asia queries, I don't have many details on it at the moment but I think it speaks for itself and returns a fairly large record so perhaps someone from AS21928 T-Mobile may be interested, also found someone with thoughts on directedat.asia and some other suspect domains at http://dnsamplificationattacks.blogspot.nl/2013/06/domain-mydnsscanus.html which may be of interest.
>
> As before, details in the file, distribute as required for mitigation but no attribution please and if not necessary please strip target as well.
>
> Thanks
> Krista
> 7992
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
--
SWITCH
-----------------------
Dr. Serge Droz, Team Leader Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
Security-News: http://securityblog.switch.ch
More information about the nsp-security
mailing list