[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

JPP firewalllogs at frws.com
Thu Jan 29 06:24:49 GMT 2009


Hi!

Do not like to top-post but this was a long one.

Its likely what you are seeing was reported here:
http://isc.sans.org/diary.html?storyid=5713

A lot of us have been seeing it for a few weeks now. Its not an attack on you 
but on the IPs that look like they are querying you - they are being spoofed.

Best way to 'ignore' them is to either/or:
1. Make sure your DNS is not allowing recursive lookups except from known IPs/
hosts - there is a test page you can use to test this at the above link.
2. Firewall out the IP addresses doing the '.' queries until they stop.
You did not mention or I did not see what OS or DNS server you were running, 
but Bind lets you blackhole the IPs and obviously an simple IPTables rule 
will do the trick on the IPs.

The list of the IPs is on that page link above. Hope this helps.

Regards,
JPP

###############################
From: "Dr. Daniel Carras" <dr.astrom42 at gmail.com> 
Subject: Re: [Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - 
    next evolution - phase 2 
Date: Wed, 28 Jan 2009 15:58:42 -0500 
To: General DShield Discussion List <list at lists.sans.org> 
Reply-to: General DShield Discussion List <list at lists.sans.org> 

I'm analyzing the logs now. However, there's not much. All it does is 
repeatedly ask for NS-record for <root> 

----log expert from Jan.17.09--- 
13:06:11   Request from 216.240.131.173 for NS-record for <root> 
13:06:11   Sending reply to 216.240.131.173 about NS-record for <root>: 
13:06:11   -> Answer: NS-record for <root> = b.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = l.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = d.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = i.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = g.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = m.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = k.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = f.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = e.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = j.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = c.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = a.root-servers.net. 
13:06:11   -> Answer: NS-record for <root> = h.root-servers.net. 
13:06:11   -> Additional: A-record for i.root-servers.net. = 192.36.148.17 
13:06:11   -> Additional: A-record for g.root-servers.net. = 192.112.36.4 
13:06:11   -> Additional: A-record for m.root-servers.net. = 202.12.27.33 
13:06:11   -> Additional: A-record for k.root-servers.net. = 193.0.14.129 
13:06:11   -> Additional: A-record for f.root-servers.net. = 192.5.5.241 
13:06:11   -> Additional: AAAA-record for f.root-servers.net. = 
2001:500:2F:0:0:0:0:F 
13:06:11   -> Additional: A-record for e.root-servers.net. = 192.203.230.10 
13:06:11   -> Additional: A-record for j.root-servers.net. = 192.58.128.30 
13:06:11   -> Additional: A-record for c.root-servers.net. = 192.33.4.12 
13:06:11   -> Additional: A-record for a.root-servers.net. = 198.41.0.4 
13:06:11   -> Additional: AAAA-record for a.root-servers.net. = 
2001:503:BA3E:0:0:0:2:30 
13:06:11   -> Additional: A-record for h.root-servers.net. = 128.63.2.53 
13:06:11   -> Additional: A-record for b.root-servers.net. = 192.228.79.201 
13:06:11   -> Additional: A-record for l.root-servers.net. = 199.7.83.42 
13:06:11   -> Additional: A-record for d.root-servers.net. = 128.8.10.90 
13:06:13   Request from 216.240.131.173 for NS-record for <root> 
13:06:13   Sending reply to 216.240.131.173 about NS-record for <root>: 
..... 
14:32:37   -> Additional: A-record for d.root-servers.net. = 128.8.10.90 
Next 
14:51:02   Request from 69.50.137.175 for NS-record for <root> 
14:51:02   Sending reply to 69.50.137.175 about NS-record for <root>: 
..... 
14:51:02   Request from 69.50.137.175 for NS-record for <root> 
14:51:02   Sending reply to 69.50.137.175 about NS-record for <root>: 
...... 
15:52:29   Request from 69.50.142.11 for NS-record for <root> 
15:52:29   Sending reply to 69.50.142.11 about NS-record for <root>: 
..... 
15:52:31   Request from 69.50.137.175 for NS-record for <root> 
15:52:31   Sending reply to 69.50.137.175 about NS-record for <root>: 
..... 
15:53:00   Request from 69.50.142.11 for NS-record for <root> 
15:53:00   Sending reply to 69.50.142.11 about NS-record for <root>: 
.... 
15:53:15   Request from 69.50.137.175 for NS-record for <root> 
15:53:15   Sending reply to 69.50.137.175 about NS-record for <root> 
..... 
15:53:16   Request from 69.50.142.11 for NS-record for <root> 
15:53:16   Sending reply to 69.50.142.11 about NS-record for <root> 
..... 
15:54:28   Request from 69.50.142.11 for NS-record for <root> 
15:54:28   Sending reply to 69.50.142.11 about NS-record for <root>: 
.... 
00:00:12   *** Warning: IP address 69.50.142.11 blocked (more than 30 
requests per second) [Jan.17.09] 
Begins again [Jan.18.09] 
09:11:51   Request from 69.50.142.110 for NS-record for <root> 
09:11:51   Sending reply to 69.50.142.110 about NS-record for <root>: 
.... 
09:11:51   Request from 69.50.142.110 for NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao. 
09:11:51   Sending request to 208.67.220.220 (forward server) for 
NS-record for pmmhemaaaaetv0000hgaaabbaaabmpao. 
09:11:51   Reply from 208.67.220.220 about NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao.: 
09:11:51   -> Header: Name does not exist. 
09:11:51   Sending reply to 69.50.142.110 about NS-record for 
pmmhemaaaaetv0000hgaaabbaaabmpao.: 
09:11:51   -> Header: Name does not exist. 
09:11:51   Request from 69.50.142.110 for NS-record for <root> 
09:11:51   Sending reply to 69.50.142.110 about NS-record for <root>: 
...... [continues until] 
12:19:03   Request from 69.50.142.110 for NS-record for <root> 
12:19:03   Sending reply to 69.50.142.110 about NS-record for <root>: 
.... [more aggressive steps taken] 
[Jan.22.09] 
23:01:53   Request from 66.230.128.15 for NS-record for <root> 
23:01:53   Sending reply to 66.230.128.15 about NS-record for <root>: 
..... 
23:01:54   Request from 66.230.160.1 for NS-record for <root> 
23:01:54   Sending reply to 66.230.160.1 about NS-record for <root>: 
.... 
23:01:55   Request from 66.230.128.15 for NS-record for <root> 
23:01:55   Sending reply to 66.230.128.15 about NS-record for <root>: 
.... 
23:01:56   Request from 66.230.160.1 for NS-record for <root> 
23:01:56   Sending reply to 66.230.160.1 about NS-record for <root>: 
.... 
23:04:37   Loading IP address blocks... 
[Jan.23.09] (single ip for flood) 
06:56:23   Request from 63.217.28.226 for NS-record for <root> 
06:56:23   Sending reply to 63.217.28.226 about NS-record for <root>: 
..... 
19:39:38   Request from 63.217.28.226 for NS-record for <root> 
19:39:38   Sending reply to 63.217.28.226 about NS-record for <root>: 
.... 
19:40:50   Loading IP address blocks... 
[Jan.24.09] (single ip for flood) 
13:33:54   Request from 206.71.158.30 for NS-record for <root> 
13:33:54   Sending reply to 206.71.158.30 about NS-record for <root>: 
..... 
21:42:39   Request from 206.71.158.30 for NS-record for <root> 
21:42:39   Sending reply to 206.71.158.30 about NS-record for <root>: 
21:42:41   Loading IP address blocks... 

[Jan.27.09] 
05:22:09   Request from 67.192.144.0 for NS-record for <root> 
05:22:09   Sending reply to 67.192.144.0 about NS-record for <root>: 
.... 
09:48:07   Request from 67.192.144.0 for NS-record for <root> 
09:48:07   Sending reply to 67.192.144.0 about NS-record for <root>: 
.... 
09:48:10   Request from 64.57.246.146 for NS-record for <root> 
09:48:10   Sending reply to 64.57.246.146 about NS-record for <root>: 
..... 
09:48:13   Request from 64.57.246.146 for NS-record for <root> 
09:48:13   Sending reply to 64.57.246.146 about NS-record for <root>: 
..... 
09:48:14   Request from 67.192.144.0 for NS-record for <root> 
09:48:14   Sending reply to 67.192.144.0 about NS-record for <root>: 
..... 
09:48:14   Request from 64.57.246.146 for NS-record for <root> 
09:48:14   Sending reply to 64.57.246.146 about NS-record for <root>: 
..... 
09:48:15   Request from 64.57.246.146 for NS-record for <root> 
09:48:15   Sending reply to 64.57.246.146 about NS-record for <root> 
.... 
09:51:20   Request from 64.57.246.146 for NS-record for <root> 
09:51:20   Sending reply to 64.57.246.146 about NS-record for <root>: 
.... 
09:51:20   Request from 67.192.144.0 for NS-record for <root> 
09:51:20   Sending reply to 67.192.144.0 about NS-record for <root>: 
.... 
09:51:22   Request from 64.57.246.146 for NS-record for <root> 
09:51:22   Sending reply to 64.57.246.146 about NS-record for <root>: 
.... 
09:51:44   Request from 64.57.246.146 for NS-record for <root> 
09:51:44   Sending reply to 64.57.246.146 about NS-record for <root>: 
.... 
09:51:45   Request from 67.192.144.0 for NS-record for <root> 
09:51:45   Sending reply to 67.192.144.0 about NS-record for <root>: 
.... 
13:26:31   Loading IP address blocks. 



M Quibell wrote: 
> Evidence? 
> 
> > Date: Wed, 28 Jan 2009 10:53:30 -0500 
> > From: dr.astrom42 at gmail.com 
> > To: list at lists.sans.org 
> > CC: roy at Level3.net; handlers-6656916 at sans.org; 
> wcharnock at theplanet.com; handlers at sans.org; 
> radb-admin at qualitytech.com; handlers-6137560 at sans.org; abuse at theplanet.com 
> > Subject: [Dshield] ISC# [6656916] & [6137560] Massive DNS 
> attack/Flood - next evolution - phase 2 
> > 
> > DNS Flood 
> > 
> > Current Algorithm; From Jan.19.09 (but beginning on Jan.16.09) I've 
> been 
> > observing a DNS flood. The flood is in it's second phase; Jan.16.09 to 
> > Jan.24.09 defines the period of the 1st phase, and is marked by a 
> single 
> > ip providing the attack. Beginning on Dec.27.09, the 2nd phase began, 
> > with 2 ips providing the attack (and a possible thrid as a feeler, 
> but a 
> > block of the 2 ips is successful (at the dns server) and the third 
> never 
> > activates. 
> > 
> > Next, if find that major internect connection providers, provide the 
> > least response to the issue. Rogers (the company that I connect 
> through) 
> > provided an automated ticket, but nothing more. 
> > 
> > [Dec.28.09] Day 9 
> > 
> > [1] 
> > (a) 
> > Host Name: 62.50.5646.static.theplanet.com 
> > IP Address: 70.86.80.98 
> > Country: United States united states 
> > Country code: US (USA) 
> > Region: Texas 
> > City: Houston 
> > Postal code: 77002 
> > Calling code: +1 
> > Longitude: -95.367 
> > Latitude: 29.7523 
> > 
> > (b) 
> > OrgName: ThePlanet.com Internet Services, Inc. 
> > OrgID: TPCM 
> > Address: 315 Capitol 
> > Address: Suite 205 
> > City: Houston 
> > StateProv: TX 
> > PostalCode: 77002 
> > Country: US 
> > 
> > ReferralServer: rwhois://rwhois.theplanet.com:4321 
> > 
> > NetRange: 70.84.0.0 - 70.87.255.255 
> > CIDR: 70.84.0.0/14 
> > NetName: NETBLK-THEPLANET-BLK-13 
> > NetHandle: NET-70-84-0-0-1 
> > Parent: NET-70-0-0-0-0 
> > NetType: Direct Allocation 
> > NameServer: NS1.THEPLANET.COM 
> > NameServer: NS2.THEPLANET.COM 
> > Comment: 
> > RegDate: 2004-07-29 
> > Updated: 2006-02-17 
> > 
> > RTechHandle: PP46-ARIN 
> > RTechName: Pathos, Peter 
> > RTechPhone: +1-214-782-7800 
> > RTechEmail: admins at theplanet.com 
> > 
> > OrgAbuseHandle: ABUSE271-ARIN 
> > OrgAbuseName: The Planet Abuse 
> > OrgAbusePhone: +1-281-714-3560 
> > OrgAbuseEmail: abuse at theplanet.com 
> > 
> > OrgNOCHandle: THEPL-ARIN 
> > OrgNOCName: The Planet NOC 
> > OrgNOCPhone: +1-281-714-3555 
> > OrgNOCEmail: noc at theplanet.com 
> > 
> > OrgTechHandle: TECHN33-ARIN 
> > OrgTechName: Technical Support 
> > OrgTechPhone: +1-214-782-7800 
> > OrgTechEmail: admins at theplanet.com 
> > 
> > # ARIN WHOIS database, last updated 2009-01-27 19:10 
> > # Enter ? for additional hints on searching ARIN's WHOIS database. 
> > 
> > 
> > Found a referral to rwhois.theplanet.com:4321. 
> > 
> > %rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. 
> > V-1.5.9.5) 
> > network:Class-Name:network 
> > network:ID:THEPLANET-BLK-13 
> > network:Auth-Area:70.84.0.0/14 
> > network:Network-Name:TPIS-BLK-70-86-80-0 
> > network:IP-Network:70.86.80.96/28 
> > network:IP-Network-Block:70.86.80.96 - 70.86.80.111 
> > network:Organization-Name:Hostgator 
> > network:Organization-City:Boca Raton 
> > network:Organization-State:FL 
> > network:Organization-Zip:33496 
> > network:Organization-Country:USA 
> > network:Description-Usage:customer 
> > network:Server-Pri:ns1.theplanet.com 
> > network:Server-Sec:ns2.theplanet.com 
> > network:Tech-Contact;I:abuse at theplanet.com 
> > network:Admin-Contact;I:abuse at theplanet.com 
> > network:Created:20070303 
> > network:Updated:20070303 
> > 
> > %referral rwhois://root.rwhois.net:4321/auth-area=. 
> > %ok 
> > 
> > (c) 
> > route: 70.86.0.0/16 
> > descr: ThePlanet.com Internet Services, Inc. 
> > origin: AS21844 
> > notify: admins at theplanet.com 
> > mnt-by: MAINT-AS13884 
> > changed: wcharnock at theplanet.com 20050324 
> > source: RADB 
> > 
> > [2] 
> > (a) 
> > Host Name: ranger.vps.4tvirtual.com 
> > IP Address: 64.57.246.123 
> > Country: United States united states 
> > Country code: US (USA) 
> > Region: Georgia 
> > City: Suwanee 
> > Postal code: 30024 
> > Calling code: +1 
> > Longitude: -84.0659 
> > Latitude: 34.0535 
> > 
> > (b) 
> > Quality Technology Services, LLC. EDEL-QGC-BLK1 (NET-64-57-240-0-1) 
> > 64.57.240.0 - 64.57.255.255 
> > 4T Networks EDEL-246-0-23 (NET-64-57-246-0-1) 
> > 64.57.246.0 - 64.57.247.255 
> > 
> > (c) 
> > route: 64.57.240.0/20 
> > descr: QTS-SUW1-Routes 
> > origin: AS20141 
> > admin-c: QTS-RADB 
> > tech-c: QTS-RADB 
> > notify: radb-admin at qualitytech.com 
> > mnt-by: MAINT-QTS 
> > changed: ckoch at qualitytech.com 20080604 #21:25:23Z 
> > source: RADB 
> > 
> > route: 64.57.240.0/20 
> > descr: Proxy-registered route object 
> > origin: AS20141 
> > remarks: auto-generated route object 
> > remarks: this next line gives the robot something to recognize 
> > remarks: L'enfer, c'est les autres 
> > remarks: 
> > remarks: This route object is for a Level 3 customer route 
> > remarks: which is being exported under this origin AS. 
> > remarks: 
> > remarks: This route object was created because no existing 
> > remarks: route object with the same origin was found, and 
> > remarks: since some Level 3 peers filter based on these objects 
> > remarks: this route may be rejected if this object is not created. 
> > remarks: 
> > remarks: Please contact routing at Level3.net if you have any 
> > remarks: questions regarding this object. 
> > mnt-by: LEVEL3-MNT 
> > changed: roy at Level3.net 20061218 
> > source: LEVEL3 
> > _______________________________________________ 
> > Dshield mailing list 
> > Dshield at lists.sans.org 
> > To change your subscription options (or unsubscribe), see: 
> https://lists.sans.org/mailman/listinfo/list 
> 
> ------------------------------------------------------------------------ 
> Windows Live&#8482;: E-mail. Chat. Share. Get more ways to connect. See how 
> it works. 
> <http://windowslive.com/howitworks?
ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009> 
> 
> ------------------------------------------------------------------------ 
> 
> _______________________________________________ 
> Dshield mailing list 
> Dshield at lists.sans.org 
> To change your subscription options (or unsubscribe), see: https://
lists.sans.org/mailman/listinfo/list 
>  

--
FRWS WebMail (http://www.frws.com)
'Cause everyone deserves SPAM & Virus Free Email!



More information about the Dshield mailing list