[Intrusions] DDoS update - tomorrow Jan 30 makes this 4 weeks into the attack
Michael Bernstein
mb_jobs at yahoo.com
Sun Jan 30 21:24:48 GMT 2005
I don't quite understand. You have a DDoS attack
that's lasting 4 weeks? That's crazy. It's attacking
your external DNS server(s)? And how many hosts? May
want to contact US-CERT.
my 2c
--- David McCall <david at atgi.net> wrote:
> I have no real new information to add so I'll post a
> snippet from 1/6 of the dns query logs and(see
> below):
>
>
> Jan 29 13:36:29 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.93.40.71/mpecllc.com/AAAA/IN
> Jan 29 13:36:36 queue2 named[8447]: [ID 295310
> daemon.info] XX /198.164.4.2/mpecllc.com/A/IN
> Jan 29 13:36:37 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.148.244.184/mpecllc.com/A/IN
> Jan 29 13:36:38 queue2 named[8447]: [ID 295310
> daemon.info] XX /204.127.202.34/mpecllc.com/A/IN
> Jan 29 13:36:45 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.148.227.106/mpecllc.com/A/IN
> Jan 29 13:36:46 queue2 named[8447]: [ID 295310
> daemon.info] XX /131.128.1.30/mpecllc.com/A/IN
> Jan 29 13:36:54 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.250.32.43/mpecllc.com/A/IN
> Jan 29 13:37:03 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.2.16.28/mpecllc.com/A/IN
> Jan 29 13:37:10 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.2.16.28/mpecllc.com/AAAA/IN
> Jan 29 13:37:25 queue2 named[8447]: [ID 295310
> daemon.info] XX /12.6.42.2/mpecllc.com/A/IN
> Jan 29 13:37:27 queue2 named[8447]: [ID 295310
> daemon.info] XX+/167.16.119.21/mpecllc.com/A/IN
> Jan 29 13:37:33 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.115.71.19/mpecllc.com/A/IN
> Jan 29 13:37:36 queue2 named[8447]: [ID 295310
> daemon.info] XX /32.97.239.53/mpecllc.com/A/IN
> Jan 29 13:37:39 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.203.0.84/mpecllc.com/A/IN
> Jan 29 13:37:48 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.195.0.140/mpecllc.com/A/IN
> Jan 29 13:37:50 queue2 named[8447]: [ID 295310
> daemon.info] XX /12.166.16.3/mpecllc.com/A/IN
> Jan 29 13:38:01 queue2 named[8447]: [ID 295310
> daemon.info] XX /206.13.29.43/mpecllc.com/A/IN
> Jan 29 13:38:01 queue2 named[8447]: [ID 295310
> daemon.info] XX /152.163.102.29/mpecllc.com/A/IN
> Jan 29 13:38:07 queue2 named[8447]: [ID 295310
> daemon.info] XX+/66.0.60.9/mpecllc.com/A/IN
> Jan 29 13:38:08 queue2 named[8447]: [ID 295310
> daemon.info] XX /66.74.97.64/mpecllc.com/A/IN
> Jan 29 13:38:08 queue2 named[8447]: [ID 295310
> daemon.info] XX /69.58.0.24/mpecllc.com/A/IN
> Jan 29 13:38:10 queue2 named[8447]: [ID 295310
> daemon.info] XX /205.188.118.27/mpecllc.com/A/IN
> Jan 29 13:38:11 queue2 named[8447]: [ID 295310
> daemon.info] XX /62.108.1.68/mpecllc.com/A/IN
> Jan 29 13:38:13 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.222/mpecllc.com/A/IN
> Jan 29 13:38:16 queue2 named[8447]: [ID 295310
> daemon.info] XX /63.175.164.1/mpecllc.com/A/IN
> Jan 29 13:38:19 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.42.244.5/mpecllc.com/A/IN
> Jan 29 13:38:21 queue2 named[8447]: [ID 295310
> daemon.info] XX /205.171.17.251/mpecllc.com/A/IN
> Jan 29 13:38:21 queue2 named[8447]: [ID 295310
> daemon.info] XX /63.240.76.33/mpecllc.com/A/IN
> Jan 29 13:38:22 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.116.0.154/mpecllc.com/A/IN
> Jan 29 13:38:37 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.46.144.5/mpecllc.com/A/IN
> Jan 29 13:38:50 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.12.16.24/mpecllc.com/A/IN
> Jan 29 13:38:51 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.25.227.33/mpecllc.com/A/IN
> Jan 29 13:38:51 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.164.1.16/mpecllc.com/A/IN
> Jan 29 13:38:58 queue2 named[8447]: [ID 295310
> daemon.info] XX /201.10.124.2/mpecllc.com/A/IN
> Jan 29 13:39:08 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.164.1.28/mpecllc.com/A/IN
> Jan 29 13:39:08 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.29.99.18/mpecllc.com/A/IN
> Jan 29 13:39:10 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.152/mpecllc.com/A/IN
> Jan 29 13:39:28 queue2 named[8447]: [ID 295310
> daemon.info] XX /204.127.198.63/mpecllc.com/A/IN
> Jan 29 13:39:53 queue2 named[8447]: [ID 295310
> daemon.info] XX /15.243.160.32/mpecllc.com/A/IN
> Jan 29 13:40:03 queue2 named[8447]: [ID 295310
> daemon.info] XX+/206.47.244.12/mpecllc.com/A/IN
> Jan 29 13:40:04 queue2 named[8447]: [ID 295310
> daemon.info] XX /69.50.161.138/mpecllc.com/A/IN
> Jan 29 13:40:05 queue2 named[8447]: [ID 295310
> daemon.info] XX /208.4.0.135/mpecllc.com/A/IN
> Jan 29 13:40:19 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.29.99.17/mpecllc.com/A/IN
> Jan 29 13:40:30 queue2 named[8447]: [ID 295310
> daemon.info] XX /12.154.7.2/mpecllc.com/A/IN
> Jan 29 13:40:40 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.86.63.208/mpecllc.com/A/IN
> Jan 29 13:40:46 queue2 named[8447]: [ID 295310
> daemon.info] XX /128.153.128.2/mpecllc.com/A/IN
> Jan 29 13:40:47 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.29.99.13/mpecllc.com/A/IN
> Jan 29 13:40:49 queue2 named[8447]: [ID 295310
> daemon.info] XX /65.165.161.2/mpecllc.com/A/IN
> Jan 29 13:40:50 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.116.96.3/mpecllc.com/A/IN
> Jan 29 13:40:56 queue2 named[8447]: [ID 295310
> daemon.info] XX+/208.35.27.134/mpecllc.com/A/IN
> Jan 29 13:41:00 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.28.99.64/mpecllc.com/A/IN
> Jan 29 13:41:02 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.92.226.47/mpecllc.com/A/IN
> Jan 29 13:41:07 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.140/mpecllc.com/A/IN
> Jan 29 13:41:21 queue2 named[8447]: [ID 295310
> daemon.info] XX /63.175.179.226/mpecllc.com/A/IN
> Jan 29 13:41:21 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.116.212.232/mpecllc.com/A/IN
> Jan 29 13:41:24 queue2 named[8447]: [ID 295310
> daemon.info] XX /63.67.120.23/mpecllc.com/A/IN
> Jan 29 13:41:27 queue2 named[8447]: [ID 295310
> daemon.info] XX /141.154.0.68/mpecllc.com/A/IN
> Jan 29 13:41:27 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.164.160.201/mpecllc.com/A/IN
> Jan 29 13:41:35 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.197.3.9/mpecllc.com/A/IN
> Jan 29 13:41:45 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.247.1.176/mpecllc.com/A/IN
> Jan 29 13:41:52 queue2 named[8447]: [ID 295310
> daemon.info] XX /66.133.170.2/mpecllc.com/A/IN
> Jan 29 13:41:54 queue2 named[8447]: [ID 295310
> daemon.info] XX /206.165.6.12/mpecllc.com/A/IN
> Jan 29 13:41:59 queue2 named[8447]: [ID 295310
> daemon.info] XX /64.30.172.21/mpecllc.com/A/IN
> Jan 29 13:42:01 queue2 named[8447]: [ID 295310
> daemon.info] XX /64.30.172.20/mpecllc.com/A/IN
> Jan 29 13:42:10 queue2 named[8447]: [ID 295310
> daemon.info] XX /65.32.2.130/mpecllc.com/A/IN
> Jan 29 13:42:10 queue2 named[8447]: [ID 295310
> daemon.info] XX /216.176.128.20/mpecllc.com/A/IN
> Jan 29 13:42:25 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.236/mpecllc.com/A/IN
> Jan 29 13:42:28 queue2 named[8447]: [ID 295310
> daemon.info] XX /128.205.1.2/mpecllc.com/A/IN
> Jan 29 13:42:31 queue2 named[8447]: [ID 295310
> daemon.info] XX /68.230.242.20/mpecllc.com/A/IN
> Jan 29 13:42:31 queue2 named[8447]: [ID 295310
> daemon.info] XX /128.186.8.8/mpecllc.com/A/IN
> Jan 29 13:42:47 queue2 named[8447]: [ID 295310
> daemon.info] XX /206.13.29.54/mpecllc.com/A/IN
> Jan 29 13:42:54 queue2 named[8447]: [ID 295310
> daemon.info] XX /134.82.7.253/mpecllc.com/A/IN
> Jan 29 13:43:05 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.244.4.19/mpecllc.com/A/IN
> Jan 29 13:43:07 queue2 named[8447]: [ID 295310
> daemon.info] XX /207.172.11.16/mpecllc.com/A/IN
> Jan 29 13:43:15 queue2 named[8447]: [ID 295310
> daemon.info] XX /129.79.8.50/mpecllc.com/AAAA/IN
> Jan 29 13:43:15 queue2 named[8447]: [ID 295310
> daemon.info] XX /129.79.8.50/mpecllc.com/A/IN
> Jan 29 13:43:21 queue2 named[8447]: [ID 295310
> daemon.info] XX /64.142.22.226/mpecllc.com/A/IN
> Jan 29 13:43:33 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.179.23.213/mpecllc.com/A/IN
> Jan 29 13:43:36 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.244.7.56/mpecllc.com/A/IN
> Jan 29 13:43:38 queue2 named[8447]: [ID 295310
> daemon.info] XX /204.127.198.57/mpecllc.com/A/IN
> Jan 29 13:43:42 queue2 named[8447]: [ID 295310
> daemon.info] XX /209.244.4.242/mpecllc.com/A/IN
> Jan 29 13:43:49 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.164.244.79/mpecllc.com/A/IN
> Jan 29 13:43:55 queue2 named[8447]: [ID 295310
> daemon.info] XX /208.33.159.36/mpecllc.com/AAAA/IN
> Jan 29 13:43:57 queue2 named[8447]: [ID 295310
> daemon.info] XX /151.196.0.39/mpecllc.com/A/IN
> Jan 29 13:44:04 queue2 named[8447]: [ID 295310
> daemon.info] XX /129.49.7.3/mpecllc.com/A/IN
> Jan 29 13:44:06 queue2 named[8447]: [ID 295310
> daemon.info] XX /65.83.241.167/mpecllc.com/A/IN
> Jan 29 13:44:06 queue2 named[8447]: [ID 295310
> daemon.info] XX /129.49.7.250/mpecllc.com/A/IN
> Jan 29 13:44:14 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.172/mpecllc.com/A/IN
> Jan 29 13:44:19 queue2 named[8447]: [ID 295310
> daemon.info] XX /167.206.3.138/mpecllc.com/A/IN
> Jan 29 13:44:20 queue2 named[8447]: [ID 295310
> daemon.info] XX /165.230.139.226/mpecllc.com/A/IN
> Jan 29 13:44:22 queue2 named[8447]: [ID 295310
> daemon.info] XX /206.13.30.23/mpecllc.com/A/IN
> Jan 29 13:44:31 queue2 named[8447]: [ID 295310
> daemon.info] XX /65.24.0.163/mpecllc.com/A/IN
> Jan 29 13:44:32 queue2 named[8447]: [ID 295310
> daemon.info] XX /65.32.1.77/mpecllc.com/A/IN
> Jan 29 13:44:32 queue2 named[8447]: [ID 295310
> daemon.info] XX /130.215.32.18/mpecllc.com/A/IN
> Jan 29 13:44:38 queue2 named[8447]: [ID 295310
> daemon.info] XX /24.25.195.2/mpecllc.com/A/IN
> Jan 29 13:44:38 queue2 named[8447]: [ID 295310
> daemon.info] XX /64.59.184.13/mpecllc.com/A/IN
> Jan 29 13:44:43 queue2 named[8447]: [ID 295310
> daemon.info] XX /152.163.102.32/mpecllc.com/A/IN
> Jan 29 13:44:50 queue2 named[8447]: [ID 295310
> daemon.info] XX /204.127.202.38/mpecllc.com/A/IN
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
More information about the Intrusions
mailing list