[nsp-sec] DNS Amp attack target: 147.102.82.140

Jason Chambers jchambers at ucla.edu
Sat Nov 2 20:48:50 EDT 2013 

Hello all.

Something to look at if anyone's interested.

R's,

--Jason

There is an active DNS DoS attack against the National Technical
University of Athens, Greece. (NTUA)  From our perspective the attack
started at 2013/10/30 21:40:33 GMT.

Can NTUA comment on the size of the attack they are seeing ?  The
traffic we see suggests a single source is generating the queries.  What
do others see ?



It might be related to recent activity regarding "Golden Dawn" in
Greece.  Maybe other national assets are being packeted too?  Or maybe
it's just an angry gamer.

http://voiceofrussia.com/news/2013_09_22/Hackers-attack-website-of-Greek-police-0451/



Yesterday the attack was using "hizbullah.me"; today it is using
"1x1.cz".  The set of open resolvers used also changed, maybe instep
with the DNS RR.

The TTL is static at 236 for the current set of resolvers.

The source ports are randomized.  It looks like the number of queries is
set for 15 before switching source ports.

count | source_port | open resolver
-------------------------------------
     15 45612 128.97.x.x
     15 53796 128.97.x.x
     15 12483 128.97.t.t
     15 918 128.97.t.t
     15 60763 128.97.c.c
     15 63404 128.97.t.t
     15 20008 128.97.c.c
     15 13222 128.97.t.t
     15 7152 128.97.x.x
     15 23735 128.97.x.x
      7 37832 128.97.c.c
     15 14094 128.97.x.x
     15 24011 128.97.c.c
     15 61128 128.97.c.c
     15 22230 128.97.x.x
     15 7876 128.97.c.c
     15 5386 128.97.c.c
     28 204 128.97.x.x
      9 21133 128.97.t.t
     15 20005 128.97.c.c
     15 42316 128.97.t.t
     14 37994 128.97.x.x
     15 15136 128.97.t.t
     15 50775 128.97.c.c
     15 42896 128.97.t.t
     15 12397 128.97.x.x
     15 7597 128.97.x.x
     15 13183 128.97.c.c
      3 37087 128.97.c.c
     15 48238 128.97.c.c
     15 13959 128.97.t.t
      8 42659 128.97.t.t
     15 44515 128.97.x.x
     15 13027 128.97.x.x
     15 46727 128.97.t.t
     15 36047 128.97.t.t
     15 62950 128.97.c.c
     15 42326 128.97.x.x
     15 58136 128.97.c.c
      8 11918 128.97.x.x
     15 52949 128.97.c.c
     15 19329 128.97.c.c
     15 25989 128.97.c.c




00:16:58.453999081 IP (tos 0x0, ttl 236, id 48746, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.18456 > 128.97.x.x.53: [no cksum] 41958+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:16:58.454009081 IP (tos 0x0, ttl 236, id 48747, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.18456 > 128.97.x.x.53: [no cksum] 41958+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:16:58.454012081 IP (tos 0x0, ttl 236, id 48748, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.18456 > 128.97.x.x.53: [no cksum] 41958+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:16:58.454014081 IP (tos 0x0, ttl 236, id 48749, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.18456 > 128.97.x.x.53: [no cksum] 41958+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:17:11.776581081 IP (tos 0x0, ttl 236, id 48808, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.25749 > 128.97.x.x.53: [no cksum] 26355+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:17:11.776594081 IP (tos 0x0, ttl 236, id 48809, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.25749 > 128.97.x.x.53: [no cksum] 26355+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:17:17.014507081 IP (tos 0x0, ttl 236, id 60174, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.65301 > 128.97.y.y.53: [no cksum] 13411+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:17:17.014522081 IP (tos 0x0, ttl 236, id 60175, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.65301 > 128.97.y.y.53: [no cksum] 13411+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)

00:17:17.014532081 IP (tos 0x0, ttl 236, id 60176, offset 0, flags
[none], proto UDP (17), length 63)
    147.102.82.140.65301 > 128.97.y.y.53: [no cksum] 13411+ [1au] ANY?
1x1.cz. ar: . OPT UDPsize=9000 (35)



% Information related to '147.102.0.0 - 147.102.255.255'

inetnum:        147.102.0.0 - 147.102.255.255
netname:        NTUA
descr:          National Technical University of Athens
country:        GR
admin-c:        NN4-RIPE
tech-c:         NN4-RIPE
mnt-by:         NTUA-NOC
status:         EARLY-REGISTRATION
source:         RIPE # Filtered

role:           NTUA NOC
address:        Network Operation Center - NOC
address:        National Technical University Of Athens - NTUA
address:        GR 15780, ZOGRAFOU
address:        ATHENS, GREECE
phone:          +30210-772-1861
fax-no:         +30210-772-1866
remarks:        --------------------------------------
remarks:        For complains about abuse, spam etc:
abuse-mailbox:  abuse at ntua.gr
remarks:        --------------------------------------
admin-c:        ES3129-RIPE
admin-c:        RL248-RIPE
tech-c:         DK24-RIPE
tech-c:         DM447-RIPE
tech-c:         SP2152-RIPE
tech-c:         AD9501-RIPE
nic-hdl:        NN4-RIPE
mnt-by:         NTUA-NOC
source:         RIPE # Filtered

% Information related to '147.102.0.0/16AS3323'

route:          147.102.0.0/16
descr:          National Technical University of Athens
origin:         AS3323
mnt-by:         NTUA-NOC
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.69
(WHOIS3)

More information about the nsp-security mailing list