[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Dr. Daniel Carras dr.astrom42 at gmail.com
Wed Jan 28 15:53:30 GMT 2009


DNS Flood

Current Algorithm; From Jan.19.09 (but beginning on Jan.16.09) I've been 
observing a DNS flood. The flood is in it's second phase; Jan.16.09 to 
Jan.24.09 defines the period of the 1st phase, and is marked by a single 
ip providing the attack. Beginning on Dec.27.09, the 2nd phase began, 
with 2 ips providing the attack (and a possible thrid as a feeler, but a 
block of the 2 ips is successful (at the dns server) and the third never 
activates.

Next, if find that major internect connection providers, provide the 
least response to the issue. Rogers (the company that I connect through) 
provided an automated ticket, but nothing more.

[Dec.28.09] Day 9

[1]
(a)
Host Name:      62.50.5646.static.theplanet.com
IP Address:     70.86.80.98
Country:     United States united states
Country code:     US (USA)
Region:     Texas
City:     Houston
Postal code:     77002
Calling code:     +1
Longitude:     -95.367
Latitude:     29.7523

(b)
OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange:   70.84.0.0 - 70.87.255.255
CIDR:       70.84.0.0/14
NetName:    NETBLK-THEPLANET-BLK-13
NetHandle:  NET-70-84-0-0-1
Parent:     NET-70-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate:    2004-07-29
Updated:    2006-02-17

RTechHandle: PP46-ARIN
RTechName:   Pathos, Peter
RTechPhone:  +1-214-782-7800
RTechEmail:  admins at theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName:   The Planet Abuse
OrgAbusePhone:  +1-281-714-3560
OrgAbuseEmail:  abuse at theplanet.com

OrgNOCHandle: THEPL-ARIN
OrgNOCName:   The Planet NOC
OrgNOCPhone:  +1-281-714-3555
OrgNOCEmail:  noc at theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName:   Technical Support
OrgTechPhone:  +1-214-782-7800
OrgTechEmail:  admins at theplanet.com

# ARIN WHOIS database, last updated 2009-01-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to rwhois.theplanet.com:4321.

%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. 
V-1.5.9.5)
network:Class-Name:network
network:ID:THEPLANET-BLK-13
network:Auth-Area:70.84.0.0/14
network:Network-Name:TPIS-BLK-70-86-80-0
network:IP-Network:70.86.80.96/28
network:IP-Network-Block:70.86.80.96 - 70.86.80.111
network:Organization-Name:Hostgator
network:Organization-City:Boca Raton
network:Organization-State:FL
network:Organization-Zip:33496
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse at theplanet.com
network:Admin-Contact;I:abuse at theplanet.com
network:Created:20070303
network:Updated:20070303

%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok

(c)
route: 70.86.0.0/16
descr: ThePlanet.com Internet Services, Inc.
origin: AS21844
notify: admins at theplanet.com
mnt-by: MAINT-AS13884
changed: wcharnock at theplanet.com 20050324
source: RADB

[2]
(a)
Host Name:      ranger.vps.4tvirtual.com
IP Address:     64.57.246.123
Country:     United States united states
Country code:     US (USA)
Region:     Georgia
City:     Suwanee
Postal code:     30024
Calling code:     +1
Longitude:     -84.0659
Latitude:     34.0535

(b)
Quality Technology Services, LLC. EDEL-QGC-BLK1 (NET-64-57-240-0-1)
                                  64.57.240.0 - 64.57.255.255
4T Networks EDEL-246-0-23 (NET-64-57-246-0-1)
                                  64.57.246.0 - 64.57.247.255

(c)
route: 64.57.240.0/20
descr: QTS-SUW1-Routes
origin: AS20141
admin-c: QTS-RADB
tech-c: QTS-RADB
notify: radb-admin at qualitytech.com
mnt-by: MAINT-QTS
changed: ckoch at qualitytech.com 20080604 #21:25:23Z
source: RADB

route: 64.57.240.0/20
descr: Proxy-registered route object
origin: AS20141
remarks: auto-generated route object
remarks: this next line gives the robot something to recognize
remarks: L'enfer, c'est les autres
remarks:
remarks: This route object is for a Level 3 customer route
remarks: which is being exported under this origin AS.
remarks:
remarks: This route object was created because no existing
remarks: route object with the same origin was found, and
remarks: since some Level 3 peers filter based on these objects
remarks: this route may be rejected if this object is not created.
remarks:
remarks: Please contact routing at Level3.net if you have any
remarks: questions regarding this object.
mnt-by: LEVEL3-MNT
changed: roy at Level3.net 20061218
source: LEVEL3


More information about the Dshield mailing list