[nsp-sec] 12-15 Gbps DNS Amplification attack against 31.222.133.87/32 (heads up AS174)

Mon May 13 13:44:19 EDT 2013

On 4/30/2013 10:14 AM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
> 
> On 4/30/2013 9:40 AM, Tom Sands wrote:
>> ----------- nsp-security Confidential --------
>>
>> Just an update on this for more detail.
>>
>> The captures that have been done so far indicated the following.
>>
>> The source of the DNS queries are being spoofed as 31.222.133.87/32 (of
>> course)
>> Both the src and dst ports are 53 (rather than high source)
>> All captures done so far show each target (amplifier) getting the same
>> DNS query ID (not incrementing)
>> All captures done so far show the domain being looked up as Arin.net
> 
> Hi,
> 	I am seeing the queries as the crowd favorite, ripe.net.  All the cruft
> I was getting was via my cogent peer at 151 Front St. in Toronto.  pcap
> available at http://www.tancsa.com/31.222.133.87.zip
> passwd is AS11647addrs@

FYI, I am still seeing this coming in via Cogent in Toronto. The two
targets in my network have been closed for a bit now. I was surprised to
see the ACL still being hit after all this time.

13:40:28.006065 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.008872 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.011119 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.034790 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.037228 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.043692 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.051276 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.114723 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.124309 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.125120 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.153879 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.159466 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.163902 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.210562 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.212936 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.232685 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.233120 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.272181 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.272376 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.297790 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.305053 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.341623 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.343109 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.346111 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.383174 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.389298 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.419085 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.456035 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.459783 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.469420 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.494176 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.501176 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.508169 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.529647 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.565188 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.566199 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.580919 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.616390 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.620223 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.629404 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.632629 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.667254 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.691575 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.691757 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.726211 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.758365 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.783248 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.812753 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.841509 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.848754 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.861707 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.894027 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.921221 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.935347 IP 31.222.133.87.53 > 64.7.156.74.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.970930 IP 31.222.133.87.53 > 67.43.142.67.53: 952+ [1au] ANY?
ripe.net. (38)
13:40:28.997359 IP 31.222.133.87.53 > 64.7.147.71.53: 952+ [1au] ANY?
ripe.net. (38)

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/