[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

M Quibell mquibell at hotmail.com
Wed Jan 28 19:16:08 GMT 2009


Evidence?

> Date: Wed, 28 Jan 2009 10:53:30 -0500
> From: dr.astrom42 at gmail.com
> To: list at lists.sans.org
> CC: roy at Level3.net; handlers-6656916 at sans.org; wcharnock at theplanet.com; handlers at sans.org; radb-admin at qualitytech.com; handlers-6137560 at sans.org; abuse at theplanet.com
> Subject: [Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2
> 
> DNS Flood
> 
> Current Algorithm; From Jan.19.09 (but beginning on Jan.16.09) I've been 
> observing a DNS flood. The flood is in it's second phase; Jan.16.09 to 
> Jan.24.09 defines the period of the 1st phase, and is marked by a single 
> ip providing the attack. Beginning on Dec.27.09, the 2nd phase began, 
> with 2 ips providing the attack (and a possible thrid as a feeler, but a 
> block of the 2 ips is successful (at the dns server) and the third never 
> activates.
> 
> Next, if find that major internect connection providers, provide the 
> least response to the issue. Rogers (the company that I connect through) 
> provided an automated ticket, but nothing more.
> 
> [Dec.28.09] Day 9
> 
> [1]
> (a)
> Host Name:      62.50.5646.static.theplanet.com
> IP Address:     70.86.80.98
> Country:     United States united states
> Country code:     US (USA)
> Region:     Texas
> City:     Houston
> Postal code:     77002
> Calling code:     +1
> Longitude:     -95.367
> Latitude:     29.7523
> 
> (b)
> OrgName:    ThePlanet.com Internet Services, Inc.
> OrgID:      TPCM
> Address:    315 Capitol
> Address:    Suite 205
> City:       Houston
> StateProv:  TX
> PostalCode: 77002
> Country:    US
> 
> ReferralServer: rwhois://rwhois.theplanet.com:4321
> 
> NetRange:   70.84.0.0 - 70.87.255.255
> CIDR:       70.84.0.0/14
> NetName:    NETBLK-THEPLANET-BLK-13
> NetHandle:  NET-70-84-0-0-1
> Parent:     NET-70-0-0-0-0
> NetType:    Direct Allocation
> NameServer: NS1.THEPLANET.COM
> NameServer: NS2.THEPLANET.COM
> Comment:
> RegDate:    2004-07-29
> Updated:    2006-02-17
> 
> RTechHandle: PP46-ARIN
> RTechName:   Pathos, Peter
> RTechPhone:  +1-214-782-7800
> RTechEmail:  admins at theplanet.com
> 
> OrgAbuseHandle: ABUSE271-ARIN
> OrgAbuseName:   The Planet Abuse
> OrgAbusePhone:  +1-281-714-3560
> OrgAbuseEmail:  abuse at theplanet.com
> 
> OrgNOCHandle: THEPL-ARIN
> OrgNOCName:   The Planet NOC
> OrgNOCPhone:  +1-281-714-3555
> OrgNOCEmail:  noc at theplanet.com
> 
> OrgTechHandle: TECHN33-ARIN
> OrgTechName:   Technical Support
> OrgTechPhone:  +1-214-782-7800
> OrgTechEmail:  admins at theplanet.com
> 
> # ARIN WHOIS database, last updated 2009-01-27 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
> 
> 
> Found a referral to rwhois.theplanet.com:4321.
> 
> %rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. 
> V-1.5.9.5)
> network:Class-Name:network
> network:ID:THEPLANET-BLK-13
> network:Auth-Area:70.84.0.0/14
> network:Network-Name:TPIS-BLK-70-86-80-0
> network:IP-Network:70.86.80.96/28
> network:IP-Network-Block:70.86.80.96 - 70.86.80.111
> network:Organization-Name:Hostgator
> network:Organization-City:Boca Raton
> network:Organization-State:FL
> network:Organization-Zip:33496
> network:Organization-Country:USA
> network:Description-Usage:customer
> network:Server-Pri:ns1.theplanet.com
> network:Server-Sec:ns2.theplanet.com
> network:Tech-Contact;I:abuse at theplanet.com
> network:Admin-Contact;I:abuse at theplanet.com
> network:Created:20070303
> network:Updated:20070303
> 
> %referral rwhois://root.rwhois.net:4321/auth-area=.
> %ok
> 
> (c)
> route: 70.86.0.0/16
> descr: ThePlanet.com Internet Services, Inc.
> origin: AS21844
> notify: admins at theplanet.com
> mnt-by: MAINT-AS13884
> changed: wcharnock at theplanet.com 20050324
> source: RADB
> 
> [2]
> (a)
> Host Name:      ranger.vps.4tvirtual.com
> IP Address:     64.57.246.123
> Country:     United States united states
> Country code:     US (USA)
> Region:     Georgia
> City:     Suwanee
> Postal code:     30024
> Calling code:     +1
> Longitude:     -84.0659
> Latitude:     34.0535
> 
> (b)
> Quality Technology Services, LLC. EDEL-QGC-BLK1 (NET-64-57-240-0-1)
>                                   64.57.240.0 - 64.57.255.255
> 4T Networks EDEL-246-0-23 (NET-64-57-246-0-1)
>                                   64.57.246.0 - 64.57.247.255
> 
> (c)
> route: 64.57.240.0/20
> descr: QTS-SUW1-Routes
> origin: AS20141
> admin-c: QTS-RADB
> tech-c: QTS-RADB
> notify: radb-admin at qualitytech.com
> mnt-by: MAINT-QTS
> changed: ckoch at qualitytech.com 20080604 #21:25:23Z
> source: RADB
> 
> route: 64.57.240.0/20
> descr: Proxy-registered route object
> origin: AS20141
> remarks: auto-generated route object
> remarks: this next line gives the robot something to recognize
> remarks: L'enfer, c'est les autres
> remarks:
> remarks: This route object is for a Level 3 customer route
> remarks: which is being exported under this origin AS.
> remarks:
> remarks: This route object was created because no existing
> remarks: route object with the same origin was found, and
> remarks: since some Level 3 peers filter based on these objects
> remarks: this route may be rejected if this object is not created.
> remarks:
> remarks: Please contact routing at Level3.net if you have any
> remarks: questions regarding this object.
> mnt-by: LEVEL3-MNT
> changed: roy at Level3.net 20061218
> source: LEVEL3
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list

_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090128/8a169d7c/attachment.htm 


More information about the Dshield mailing list