[Intrusions] DDoS - mpecllc.com - dns to web hits

[Smith, Donald]

The infected pc's are most likely using local/isp provided dns recursive
servers to do their lookups.
So MUCH of what you see in the dns will be dns servers not the bots
themselves.
You will probably also see some external IPs from NAT systems. Where a
company/school ... has a proxy or nat box attacks and NSLOOKUPS may
appear to come from the device preforming the NAT.


Donald.Smith at qwest.com GCIA
design_in_security @ the beginning & 
ease_of_use != A*(1/Data_Security)

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of David McCall
> Sent: Monday, January 24, 2005 8:15 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] DDoS - mpecllc.com - dns to web hits
> 
> 
> This morning I decided to look at what IP's were hitting our 
> dns servers
> and whether or not they were already on the untrusted list.  
> The snapshot 
> from 1/6 of our dns server pool was for about 1 hour between 
> 6am and 7am PST.
> 
> Thus far the untrusted IP table is 47,853 IP's (being blocked 
> from the web server by SQUID).
> 
> During the hour test on 1/6 of our dns servers there were 697 
> queries for the domain mpecllc.com
> 
> Out of those queries there were only 68 pre-existing entries 
> in the untrusted IP table.
> 
> ./checkdns | wc -l
>      68
> tmp/mpecllc.com # wc -l dnsHits
>     697 dnsHits
> tmp/mpecllc.com # wc -l untrusted
>   47853 untrusted
> 
> I suppose I'm trying to make some meaning out of all the data 
> that might be important to 
> this event.   
> 
> If anyone has any other stats they would like me to collect 
> on this let me know.  
> 
> David C.McCall
> UNIX Administrator
> ===================
> EschelonTelecom
> admin at atgi.net
> david at atgi.net 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>