[nsp-sec] 118K Resolvers used in 10Gbps attack

Krista Hickey Krista.Hickey at cogeco.com
Thu Oct 10 12:38:58 EDT 2013 

[Apologies if this is a duplicate and note that I've also sent this to our Canadian CERT for notification so you may get some duplicates from them as well]

Hi All

Been a while since i've spammed y'all but we got hit with a ~10Gbps DNS amplification attack yesterday that utilized 118K resolvers. This was aimed at a Tibia game server (http://en.wikipedia.org/wiki/Tibia_(video_game)<http://en.wikipedia.org/wiki/Tibia_%28video_game%29>) a customer of ours was independently running, while likely not directly related to our customer attack the main Tibia server (hosted in Germany?) seems to be aware of these types of attacks and eludes to invoking the security/LE cabals to investigate this but it's not clear of the date of the following post so not sure if there's anything of interest but in case it sparks any memories for anyone see http://forum.tibia.com/forum/?action=announcement&announcementid=25

At any rate, please attempt to trace this attack if you can given a 10Gbps attack is nothing to sneeze at so be nice to track this one down. Otherwise share as required for mitigation and no attribution, timestamps and /24 of target are included but if you need more specific info or have questions please let me know. Also note that I'm working with some folks to try and automate some of these reports so I can stop spamming here but in the interim I thought this sizable attack was worthy to send out.

Regards
Krista

Ps - Someone sent me the following forum post from earlier this year that supposedly lists the 'Top 10 Booters' so perhaps someone might have some time to dig into the domains and services as some stated 'So Powerful...Up for 2 years...Best Price....Great Support' etc etc so be nice if we can maybe impact a few of these Top 10 reviews :)

hxxp://www.safeskyhacks.com/Forums/showthread.php?39-Top-10-DDoser-s-(Booters-Stressers)&ckattempt=1<http://www.safeskyhacks.com/Forums/showthread.php?39-Top-10-DDoser-s-%28Booters-Stressers%29&ckattempt=1>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 649438
Type: application/octet-stream
Size: 13468465 bytes
Desc: 649438
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20131010/fa952391/attachment-0001.obj>

More information about the nsp-security mailing list