[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Dr. Daniel Carras dr.astrom42 at gmail.com
Wed Jan 28 20:58:42 GMT 2009


I'm analyzing the logs now. However, there's not much. All it does is 
repeatedly ask for NS-record for <root>

----log expert from Jan.17.09---
13:06:11   Request from 216.240.131.173 for NS-record for <root>
13:06:11   Sending reply to 216.240.131.173 about NS-record for <root>:
13:06:11   -> Answer: NS-record for <root> = b.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = l.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = d.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = i.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = g.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = m.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = k.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = f.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = e.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = j.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = c.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = a.root-servers.net.
13:06:11   -> Answer: NS-record for <root> = h.root-servers.net.
13:06:11   -> Additional: A-record for i.root-servers.net. = 192.36.148.17
13:06:11   -> Additional: A-record for g.root-servers.net. = 192.112.36.4
13:06:11   -> Additional: A-record for m.root-servers.net. = 202.12.27.33
13:06:11   -> Additional: A-record for k.root-servers.net. = 193.0.14.129
13:06:11   -> Additional: A-record for f.root-servers.net. = 192.5.5.241
13:06:11   -> Additional: AAAA-record for f.root-servers.net. = 
2001:500:2F:0:0:0:0:F
13:06:11   -> Additional: A-record for e.root-servers.net. = 192.203.230.10
13:06:11   -> Additional: A-record for j.root-servers.net. = 192.58.128.30
13:06:11   -> Additional: A-record for c.root-servers.net. = 192.33.4.12
13:06:11   -> Additional: A-record for a.root-servers.net. = 198.41.0.4
13:06:11   -> Additional: AAAA-record for a.root-servers.net. = 
2001:503:BA3E:0:0:0:2:30
13:06:11   -> Additional: A-record for h.root-servers.net. = 128.63.2.53
13:06:11   -> Additional: A-record for b.root-servers.net. = 192.228.79.201
13:06:11   -> Additional: A-record for l.root-servers.net. = 199.7.83.42
13:06:11   -> Additional: A-record for d.root-servers.net. = 128.8.10.90
13:06:13   Request from 216.240.131.173 for NS-record for <root>
13:06:13   Sending reply to 216.240.131.173 about NS-record for <root>:
.....
14:32:37   -> Additional: A-record for d.root-servers.net. = 128.8.10.90
Next
14:51:02   Request from 69.50.137.175 for NS-record for <root>
14:51:02   Sending reply to 69.50.137.175 about NS-record for <root>:
.....
14:51:02   Request from 69.50.137.175 for NS-record for <root>
14:51:02   Sending reply to 69.50.137.175 about NS-record for <root>:
......
15:52:29   Request from 69.50.142.11 for NS-record for <root>
15:52:29   Sending reply to 69.50.142.11 about NS-record for <root>:
.....
15:52:31   Request from 69.50.137.175 for NS-record for <root>
15:52:31   Sending reply to 69.50.137.175 about NS-record for <root>:
.....
15:53:00   Request from 69.50.142.11 for NS-record for <root>
15:53:00   Sending reply to 69.50.142.11 about NS-record for <root>:
....
15:53:15   Request from 69.50.137.175 for NS-record for <root>
15:53:15   Sending reply to 69.50.137.175 about NS-record for <root>
.....
15:53:16   Request from 69.50.142.11 for NS-record for <root>
15:53:16   Sending reply to 69.50.142.11 about NS-record for <root>
.....
15:54:28   Request from 69.50.142.11 for NS-record for <root>
15:54:28   Sending reply to 69.50.142.11 about NS-record for <root>:
....
00:00:12   *** Warning: IP address 69.50.142.11 blocked (more than 30 
requests per second) [Jan.17.09]
Begins again [Jan.18.09]
09:11:51   Request from 69.50.142.110 for NS-record for <root>
09:11:51   Sending reply to 69.50.142.110 about NS-record for <root>:
....
09:11:51   Request from 69.50.142.110 for NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao.
09:11:51   Sending request to 208.67.220.220 (forward server) for 
NS-record for pmmhemaaaaetv0000hgaaabbaaabmpao.
09:11:51   Reply from 208.67.220.220 about NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao.:
09:11:51   -> Header: Name does not exist.
09:11:51   Sending reply to 69.50.142.110 about NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao.:
09:11:51   -> Header: Name does not exist.
09:11:51   Request from 69.50.142.110 for NS-record for <root>
09:11:51   Sending reply to 69.50.142.110 about NS-record for <root>:
...... [continues until]
12:19:03   Request from 69.50.142.110 for NS-record for <root>
12:19:03   Sending reply to 69.50.142.110 about NS-record for <root>:
.... [more aggressive steps taken]
[Jan.22.09]
23:01:53   Request from 66.230.128.15 for NS-record for <root>
23:01:53   Sending reply to 66.230.128.15 about NS-record for <root>:
.....
23:01:54   Request from 66.230.160.1 for NS-record for <root>
23:01:54   Sending reply to 66.230.160.1 about NS-record for <root>:
....
23:01:55   Request from 66.230.128.15 for NS-record for <root>
23:01:55   Sending reply to 66.230.128.15 about NS-record for <root>:
....
23:01:56   Request from 66.230.160.1 for NS-record for <root>
23:01:56   Sending reply to 66.230.160.1 about NS-record for <root>:
....
23:04:37   Loading IP address blocks...
[Jan.23.09] (single ip for flood)
06:56:23   Request from 63.217.28.226 for NS-record for <root>
06:56:23   Sending reply to 63.217.28.226 about NS-record for <root>:
.....
19:39:38   Request from 63.217.28.226 for NS-record for <root>
19:39:38   Sending reply to 63.217.28.226 about NS-record for <root>:
....
19:40:50   Loading IP address blocks...
[Jan.24.09] (single ip for flood)
13:33:54   Request from 206.71.158.30 for NS-record for <root>
13:33:54   Sending reply to 206.71.158.30 about NS-record for <root>:
.....
21:42:39   Request from 206.71.158.30 for NS-record for <root>
21:42:39   Sending reply to 206.71.158.30 about NS-record for <root>:
21:42:41   Loading IP address blocks...

[Jan.27.09]
05:22:09   Request from 67.192.144.0 for NS-record for <root>
05:22:09   Sending reply to 67.192.144.0 about NS-record for <root>:
....
09:48:07   Request from 67.192.144.0 for NS-record for <root>
09:48:07   Sending reply to 67.192.144.0 about NS-record for <root>:
....
09:48:10   Request from 64.57.246.146 for NS-record for <root>
09:48:10   Sending reply to 64.57.246.146 about NS-record for <root>:
.....
09:48:13   Request from 64.57.246.146 for NS-record for <root>
09:48:13   Sending reply to 64.57.246.146 about NS-record for <root>:
.....
09:48:14   Request from 67.192.144.0 for NS-record for <root>
09:48:14   Sending reply to 67.192.144.0 about NS-record for <root>:
.....
09:48:14   Request from 64.57.246.146 for NS-record for <root>
09:48:14   Sending reply to 64.57.246.146 about NS-record for <root>:
.....
09:48:15   Request from 64.57.246.146 for NS-record for <root>
09:48:15   Sending reply to 64.57.246.146 about NS-record for <root>
....
09:51:20   Request from 64.57.246.146 for NS-record for <root>
09:51:20   Sending reply to 64.57.246.146 about NS-record for <root>:
....
09:51:20   Request from 67.192.144.0 for NS-record for <root>
09:51:20   Sending reply to 67.192.144.0 about NS-record for <root>:
....
09:51:22   Request from 64.57.246.146 for NS-record for <root>
09:51:22   Sending reply to 64.57.246.146 about NS-record for <root>:
....
09:51:44   Request from 64.57.246.146 for NS-record for <root>
09:51:44   Sending reply to 64.57.246.146 about NS-record for <root>:
....
09:51:45   Request from 67.192.144.0 for NS-record for <root>
09:51:45   Sending reply to 67.192.144.0 about NS-record for <root>:
....
13:26:31   Loading IP address blocks.



M Quibell wrote:
> Evidence?
>
> > Date: Wed, 28 Jan 2009 10:53:30 -0500
> > From: dr.astrom42 at gmail.com
> > To: list at lists.sans.org
> > CC: roy at Level3.net; handlers-6656916 at sans.org; 
> wcharnock at theplanet.com; handlers at sans.org; 
> radb-admin at qualitytech.com; handlers-6137560 at sans.org; abuse at theplanet.com
> > Subject: [Dshield] ISC# [6656916] & [6137560] Massive DNS 
> attack/Flood - next evolution - phase 2
> >
> > DNS Flood
> >
> > Current Algorithm; From Jan.19.09 (but beginning on Jan.16.09) I've 
> been
> > observing a DNS flood. The flood is in it's second phase; Jan.16.09 to
> > Jan.24.09 defines the period of the 1st phase, and is marked by a 
> single
> > ip providing the attack. Beginning on Dec.27.09, the 2nd phase began,
> > with 2 ips providing the attack (and a possible thrid as a feeler, 
> but a
> > block of the 2 ips is successful (at the dns server) and the third 
> never
> > activates.
> >
> > Next, if find that major internect connection providers, provide the
> > least response to the issue. Rogers (the company that I connect 
> through)
> > provided an automated ticket, but nothing more.
> >
> > [Dec.28.09] Day 9
> >
> > [1]
> > (a)
> > Host Name: 62.50.5646.static.theplanet.com
> > IP Address: 70.86.80.98
> > Country: United States united states
> > Country code: US (USA)
> > Region: Texas
> > City: Houston
> > Postal code: 77002
> > Calling code: +1
> > Longitude: -95.367
> > Latitude: 29.7523
> >
> > (b)
> > OrgName: ThePlanet.com Internet Services, Inc.
> > OrgID: TPCM
> > Address: 315 Capitol
> > Address: Suite 205
> > City: Houston
> > StateProv: TX
> > PostalCode: 77002
> > Country: US
> >
> > ReferralServer: rwhois://rwhois.theplanet.com:4321
> >
> > NetRange: 70.84.0.0 - 70.87.255.255
> > CIDR: 70.84.0.0/14
> > NetName: NETBLK-THEPLANET-BLK-13
> > NetHandle: NET-70-84-0-0-1
> > Parent: NET-70-0-0-0-0
> > NetType: Direct Allocation
> > NameServer: NS1.THEPLANET.COM
> > NameServer: NS2.THEPLANET.COM
> > Comment:
> > RegDate: 2004-07-29
> > Updated: 2006-02-17
> >
> > RTechHandle: PP46-ARIN
> > RTechName: Pathos, Peter
> > RTechPhone: +1-214-782-7800
> > RTechEmail: admins at theplanet.com
> >
> > OrgAbuseHandle: ABUSE271-ARIN
> > OrgAbuseName: The Planet Abuse
> > OrgAbusePhone: +1-281-714-3560
> > OrgAbuseEmail: abuse at theplanet.com
> >
> > OrgNOCHandle: THEPL-ARIN
> > OrgNOCName: The Planet NOC
> > OrgNOCPhone: +1-281-714-3555
> > OrgNOCEmail: noc at theplanet.com
> >
> > OrgTechHandle: TECHN33-ARIN
> > OrgTechName: Technical Support
> > OrgTechPhone: +1-214-782-7800
> > OrgTechEmail: admins at theplanet.com
> >
> > # ARIN WHOIS database, last updated 2009-01-27 19:10
> > # Enter ? for additional hints on searching ARIN's WHOIS database.
> >
> >
> > Found a referral to rwhois.theplanet.com:4321.
> >
> > %rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc.
> > V-1.5.9.5)
> > network:Class-Name:network
> > network:ID:THEPLANET-BLK-13
> > network:Auth-Area:70.84.0.0/14
> > network:Network-Name:TPIS-BLK-70-86-80-0
> > network:IP-Network:70.86.80.96/28
> > network:IP-Network-Block:70.86.80.96 - 70.86.80.111
> > network:Organization-Name:Hostgator
> > network:Organization-City:Boca Raton
> > network:Organization-State:FL
> > network:Organization-Zip:33496
> > network:Organization-Country:USA
> > network:Description-Usage:customer
> > network:Server-Pri:ns1.theplanet.com
> > network:Server-Sec:ns2.theplanet.com
> > network:Tech-Contact;I:abuse at theplanet.com
> > network:Admin-Contact;I:abuse at theplanet.com
> > network:Created:20070303
> > network:Updated:20070303
> >
> > %referral rwhois://root.rwhois.net:4321/auth-area=.
> > %ok
> >
> > (c)
> > route: 70.86.0.0/16
> > descr: ThePlanet.com Internet Services, Inc.
> > origin: AS21844
> > notify: admins at theplanet.com
> > mnt-by: MAINT-AS13884
> > changed: wcharnock at theplanet.com 20050324
> > source: RADB
> >
> > [2]
> > (a)
> > Host Name: ranger.vps.4tvirtual.com
> > IP Address: 64.57.246.123
> > Country: United States united states
> > Country code: US (USA)
> > Region: Georgia
> > City: Suwanee
> > Postal code: 30024
> > Calling code: +1
> > Longitude: -84.0659
> > Latitude: 34.0535
> >
> > (b)
> > Quality Technology Services, LLC. EDEL-QGC-BLK1 (NET-64-57-240-0-1)
> > 64.57.240.0 - 64.57.255.255
> > 4T Networks EDEL-246-0-23 (NET-64-57-246-0-1)
> > 64.57.246.0 - 64.57.247.255
> >
> > (c)
> > route: 64.57.240.0/20
> > descr: QTS-SUW1-Routes
> > origin: AS20141
> > admin-c: QTS-RADB
> > tech-c: QTS-RADB
> > notify: radb-admin at qualitytech.com
> > mnt-by: MAINT-QTS
> > changed: ckoch at qualitytech.com 20080604 #21:25:23Z
> > source: RADB
> >
> > route: 64.57.240.0/20
> > descr: Proxy-registered route object
> > origin: AS20141
> > remarks: auto-generated route object
> > remarks: this next line gives the robot something to recognize
> > remarks: L'enfer, c'est les autres
> > remarks:
> > remarks: This route object is for a Level 3 customer route
> > remarks: which is being exported under this origin AS.
> > remarks:
> > remarks: This route object was created because no existing
> > remarks: route object with the same origin was found, and
> > remarks: since some Level 3 peers filter based on these objects
> > remarks: this route may be rejected if this object is not created.
> > remarks:
> > remarks: Please contact routing at Level3.net if you have any
> > remarks: questions regarding this object.
> > mnt-by: LEVEL3-MNT
> > changed: roy at Level3.net 20061218
> > source: LEVEL3
> > _______________________________________________
> > Dshield mailing list
> > Dshield at lists.sans.org
> > To change your subscription options (or unsubscribe), see: 
> https://lists.sans.org/mailman/listinfo/list
>
> ------------------------------------------------------------------------
> Windows Live™: E-mail. Chat. Share. Get more ways to connect. See how 
> it works. 
> <http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009> 
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>   



More information about the Dshield mailing list