[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2
M Quibell
mquibell at hotmail.com
Wed Jan 28 19:16:08 GMT 2009
Evidence?
> Date: Wed, 28 Jan 2009 10:53:30 -0500
> From: dr.astrom42 at gmail.com
> To: list at lists.sans.org
> CC: roy at Level3.net; handlers-6656916 at sans.org; wcharnock at theplanet.com; handlers at sans.org; radb-admin at qualitytech.com; handlers-6137560 at sans.org; abuse at theplanet.com
> Subject: [Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2
>
> DNS Flood
>
> Current Algorithm; From Jan.19.09 (but beginning on Jan.16.09) I've been
> observing a DNS flood. The flood is in it's second phase; Jan.16.09 to
> Jan.24.09 defines the period of the 1st phase, and is marked by a single
> ip providing the attack. Beginning on Dec.27.09, the 2nd phase began,
> with 2 ips providing the attack (and a possible thrid as a feeler, but a
> block of the 2 ips is successful (at the dns server) and the third never
> activates.
>
> Next, if find that major internect connection providers, provide the
> least response to the issue. Rogers (the company that I connect through)
> provided an automated ticket, but nothing more.
>
> [Dec.28.09] Day 9
>
> [1]
> (a)
> Host Name: 62.50.5646.static.theplanet.com
> IP Address: 70.86.80.98
> Country: United States united states
> Country code: US (USA)
> Region: Texas
> City: Houston
> Postal code: 77002
> Calling code: +1
> Longitude: -95.367
> Latitude: 29.7523
>
> (b)
> OrgName: ThePlanet.com Internet Services, Inc.
> OrgID: TPCM
> Address: 315 Capitol
> Address: Suite 205
> City: Houston
> StateProv: TX
> PostalCode: 77002
> Country: US
>
> ReferralServer: rwhois://rwhois.theplanet.com:4321
>
> NetRange: 70.84.0.0 - 70.87.255.255
> CIDR: 70.84.0.0/14
> NetName: NETBLK-THEPLANET-BLK-13
> NetHandle: NET-70-84-0-0-1
> Parent: NET-70-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS1.THEPLANET.COM
> NameServer: NS2.THEPLANET.COM
> Comment:
> RegDate: 2004-07-29
> Updated: 2006-02-17
>
> RTechHandle: PP46-ARIN
> RTechName: Pathos, Peter
> RTechPhone: +1-214-782-7800
> RTechEmail: admins at theplanet.com
>
> OrgAbuseHandle: ABUSE271-ARIN
> OrgAbuseName: The Planet Abuse
> OrgAbusePhone: +1-281-714-3560
> OrgAbuseEmail: abuse at theplanet.com
>
> OrgNOCHandle: THEPL-ARIN
> OrgNOCName: The Planet NOC
> OrgNOCPhone: +1-281-714-3555
> OrgNOCEmail: noc at theplanet.com
>
> OrgTechHandle: TECHN33-ARIN
> OrgTechName: Technical Support
> OrgTechPhone: +1-214-782-7800
> OrgTechEmail: admins at theplanet.com
>
> # ARIN WHOIS database, last updated 2009-01-27 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
> Found a referral to rwhois.theplanet.com:4321.
>
> %rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc.
> V-1.5.9.5)
> network:Class-Name:network
> network:ID:THEPLANET-BLK-13
> network:Auth-Area:70.84.0.0/14
> network:Network-Name:TPIS-BLK-70-86-80-0
> network:IP-Network:70.86.80.96/28
> network:IP-Network-Block:70.86.80.96 - 70.86.80.111
> network:Organization-Name:Hostgator
> network:Organization-City:Boca Raton
> network:Organization-State:FL
> network:Organization-Zip:33496
> network:Organization-Country:USA
> network:Description-Usage:customer
> network:Server-Pri:ns1.theplanet.com
> network:Server-Sec:ns2.theplanet.com
> network:Tech-Contact;I:abuse at theplanet.com
> network:Admin-Contact;I:abuse at theplanet.com
> network:Created:20070303
> network:Updated:20070303
>
> %referral rwhois://root.rwhois.net:4321/auth-area=.
> %ok
>
> (c)
> route: 70.86.0.0/16
> descr: ThePlanet.com Internet Services, Inc.
> origin: AS21844
> notify: admins at theplanet.com
> mnt-by: MAINT-AS13884
> changed: wcharnock at theplanet.com 20050324
> source: RADB
>
> [2]
> (a)
> Host Name: ranger.vps.4tvirtual.com
> IP Address: 64.57.246.123
> Country: United States united states
> Country code: US (USA)
> Region: Georgia
> City: Suwanee
> Postal code: 30024
> Calling code: +1
> Longitude: -84.0659
> Latitude: 34.0535
>
> (b)
> Quality Technology Services, LLC. EDEL-QGC-BLK1 (NET-64-57-240-0-1)
> 64.57.240.0 - 64.57.255.255
> 4T Networks EDEL-246-0-23 (NET-64-57-246-0-1)
> 64.57.246.0 - 64.57.247.255
>
> (c)
> route: 64.57.240.0/20
> descr: QTS-SUW1-Routes
> origin: AS20141
> admin-c: QTS-RADB
> tech-c: QTS-RADB
> notify: radb-admin at qualitytech.com
> mnt-by: MAINT-QTS
> changed: ckoch at qualitytech.com 20080604 #21:25:23Z
> source: RADB
>
> route: 64.57.240.0/20
> descr: Proxy-registered route object
> origin: AS20141
> remarks: auto-generated route object
> remarks: this next line gives the robot something to recognize
> remarks: L'enfer, c'est les autres
> remarks:
> remarks: This route object is for a Level 3 customer route
> remarks: which is being exported under this origin AS.
> remarks:
> remarks: This route object was created because no existing
> remarks: route object with the same origin was found, and
> remarks: since some Level 3 peers filter based on these objects
> remarks: this route may be rejected if this object is not created.
> remarks:
> remarks: Please contact routing at Level3.net if you have any
> remarks: questions regarding this object.
> mnt-by: LEVEL3-MNT
> changed: roy at Level3.net 20061218
> source: LEVEL3
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090128/8a169d7c/attachment.htm
More information about the Dshield
mailing list