Mailing List Archive: NANOG: users

isprime DOS in progress

Index | Next | Previous | View Threaded

nanog at email

Jan 20, 2009, 12:55 PM

Post #1 of 21 (5604 views)
Permalink

isprime DOS in progress

You guys might want to be aware that isprime.com (I am not affiliated or
representing them, just passing on info since friends and I noticed this)
is actively under a DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'. This then bounces back to their authoritative nameservers which
are getting traffic overload. They've asked that those of us that can
should block all but port 53 from the following two IP's (their dns
servers as seen on whois) so as not to block legitimate dns info:

66.230.128.15
66.230.160.1

Here is the response from their abuse department:

To: todd [at] fries
Subject: Re: dos info?
From: ISPrime Support <support [at] isprime>
Date: Tue, 20 Jan 2009 15:16:02 -0500 (EST)

Hello,

These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.

If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.

If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.

An ACL similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you want.

I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to help you configure your nameservers so that you do not participate in this attack: http://www.cymru.com/Documents/secure-bind-template.html.

Thanks for your help in mitigating this attack against us.

Please let me know if I can be of further assistance.

ISPrime Support
support [at] isprime
ICQ: 136633378

On 2009-01-20, at 15:14:33, "Todd T. Fries" <todd [at] fries> wrote:
> I was told to write here for your writeup on what to block and such
> to help you guys out given the DOS that is ongoing.

Thanks,
--
Todd Fries .. todd [at] fries

_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
| \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt

Penned by Mike Lyon on 20090109 16:41.04, we have:
| If so, would you mind hitting me up offlist? I have a few questions that i
| am unable to get answered through normal channels.
|
| Cheers,
| Mike

graeme at graemef

Jan 21, 2009, 9:08 AM

Post #2 of 21 (5441 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:
> From: ISPrime Support <support [at] isprime>
> These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.
> If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.
> If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.

I've been seeing a lot of noise from the latter two addresses after
switching on query logging (and finishing an application of Team Cymru's
excellent template) so I decided to DROP traffic from the addresses
(with source port != 53) at the hosts in question.

Well, blow me down if they didn't completely stop talking to me. Four
dropped packets each, and they've gone away.

Something smells "not quite right" here - if the traffic is spoofed, and
my "Refused" responses have been flying right back to the *real* IP
addresses, how are the spoofing hosts to know that I'm dropping the
traffic?

Even if I used a REJECT policy, I'd expect the ICMP messages to go back
to the appropriate - as in real - hosts, rather than the spoofing
sources.

Something here is very odd, very odd indeed... or I'm being dumb. It's
happened before.

Graeme

pr at isprime

Jan 21, 2009, 9:27 AM

Post #3 of 21 (5435 views)
Permalink

Re: isprime DOS in progress [In reply to]

Hello,

Representing ISPrime here.

This attack has been ongoing on 66.230.128.15/66.230.160.1 for about
24 hours now, and we are receiving roughly 5Gbit of attack packets
from roughly 750,000 hosts.

It's somewhat absurd to suggest that we are attacking our own
nameservers, I assure you, we didn't spend many hours looking for your
specific nameserver to start sending 10 requests per second for the
root zone, and our nameservers serve many popular domains.

Given the attack is still in progress, I can't really say much more
publicly, but suffice to say, we're working on the situation.

-Phil
AS23393
On Jan 21, 2009, at 12:08 PM, Graeme Fowler wrote:

> On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:
>> From: ISPrime Support <support [at] isprime>
>> These are the result of a spoofed dns recursion attack against our
>> servers. The actual packets in question (the ones reaching your
>> servers) do NOT originate from our network as such there is no way
>> for us to filter things from our end.
>> If you are receiving queries from 76.9.31.42/76.9.16.171 neither of
>> these machines make legitimate outbound dns requests so an inbound
>> filter of packets to udp/53 from either of these two sources is
>> perfect.
>> If you are receiving queries from 66.230.128.15/66.230.160.1 these
>> servers are authoritative nameservers. Please do not blackhole
>> either of these IPs as they host many domains. However, these IPs
>> do not make outbound DNS requests so filtering requests to your IPs
>> from these ips with a destination port of 53 should block any
>> illegitimate requests.
>
> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team
> Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.
>
> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.
>
> Something smells "not quite right" here - if the traffic is spoofed,
> and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?
>
> Even if I used a REJECT policy, I'd expect the ICMP messages to go
> back
> to the appropriate - as in real - hosts, rather than the spoofing
> sources.
>
> Something here is very odd, very odd indeed... or I'm being dumb. It's
> happened before.
>
> Graeme
>
>

jkrejci at usinternet

Jan 21, 2009, 9:32 AM

Post #4 of 21 (5440 views)
Permalink

RE: isprime DOS in progress [In reply to]

-----Original Message-----
From: Graeme Fowler [mailto:graeme [at] graemef]
Sent: Wednesday, January 21, 2009 11:08 AM
To: Nanog Mailing list
Subject: Re: isprime DOS in progress

> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.

> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.

> Something smells "not quite right" here - if the traffic is spoofed, and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?
>
> Even if I used a REJECT policy, I'd expect the ICMP messages to go back
> to the appropriate - as in real - hosts, rather than the spoofing
> sources.
>
> Something here is very odd, very odd indeed... or I'm being dumb. It's
> happened before.
>
> Graeme

In looking at my query logs I am seeing only requests from 66.230.160.1 and
66.230.128.15 so I've done the same thing with iptables and the rules are
resulting in an ever growing number of packets being dropped.

# iptables -nvL | grep -F -B 1 -A 1 66.230.160.1 | awk '{ print
$1,$2,$3,$8,$10,$11,$12 }'

pkts bytes target source
49517 2228K DROP 66.230.160.1 udp spt:!53 dpt:53
35905 1616K DROP 66.230.128.15 udp spt:!53 dpt:53

lists at die

Jan 21, 2009, 10:21 AM

Post #5 of 21 (5439 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Wed, 21 Jan 2009, Phil Rosenthal wrote:
> This attack has been ongoing on 66.230.128.15/66.230.160.1 for about 24 hours
> now, and we are receiving roughly 5Gbit of attack packets from roughly
> 750,000 hosts.

I'm only receiving NS queries for "." from spoofed 66.230.128.15 and
66.230.160.1 via above.net (of my three transit providers) and none from
peering. This usually indicates a single source, such as one rooted machine
on non-BCP38 net spewing most of a gigabit.

> Given the attack is still in progress, I can't really say much more publicly,
> but suffice to say, we're working on the situation.

Have you had any luck tracking back the source of the spoofed packets? If
me talking to above.net sounds useful, let me know.

-- Aaron

chk at pobox

Jan 21, 2009, 10:24 AM

Post #6 of 21 (5426 views)
Permalink

Re: isprime DOS in progress [In reply to]

Graeme Fowler wrote:
> On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:

> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.
>
> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.
>

I've seen that behaviour in the past, but not this time?

I've seen a few of these attacks bouncing off my nameservers recently,
and when I add "DROP" rules to my firewall, the incoming traffic
disappears soon after. But the most recent set (66.230.160.1 and
66.230.128.15) are still hammering away...

--
Harald

graeme at graemef

Jan 21, 2009, 11:32 AM

Post #7 of 21 (5457 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote:
> Representing ISPrime here.

Well... representing myself and nobody else, so if that stretches my
credibility thin so be it.

> It's somewhat absurd to suggest that we are attacking our own
> nameservers, I assure you, we didn't spend many hours looking for your
> specific nameserver to start sending 10 requests per second for the
> root zone, and our nameservers serve many popular domains.

I just checked to make sure I did not make that assertion. I did not.

I observed something odd, and stated as much to see if anyone else did.
I apologise if you read my message as insinuating what you stated, but I
assure you that wasn't the intention.

I did say "maybe I'm being dumb", and that is indeed the answer - I
applied a temporary netfilter ruleset, then made it permanent - and it
switched the DROP and LOG statements round so that... the packet got
dropped first and the log statements never got hit. Schoolboy error (and
interesting that someone else has observed this behaviour before!)...

Normal service has been resumed. I should write a haiku here (sorry,
MLC, poor joke).

> Given the attack is still in progress, I can't really say much more
> publicly, but suffice to say, we're working on the situation.

In a previous job I've been on the receiving end of similar attacks so I
have a large degree of understanding of the pressure you're under at the
moment. I wish you the best of luck sorting it out.

Graeme

bjorn at mork

Jan 22, 2009, 3:01 AM

Post #8 of 21 (5389 views)
Permalink

Re: isprime DOS in progress [In reply to]

Graeme Fowler <graeme [at] graemef> writes:

> I've been seeing a lot of noise from the latter two addresses after
> switching on query logging (and finishing an application of Team Cymru's
> excellent template) so I decided to DROP traffic from the addresses
> (with source port != 53) at the hosts in question.
>
> Well, blow me down if they didn't completely stop talking to me. Four
> dropped packets each, and they've gone away.
>
> Something smells "not quite right" here - if the traffic is spoofed, and
> my "Refused" responses have been flying right back to the *real* IP
> addresses, how are the spoofing hosts to know that I'm dropping the
> traffic?

Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
traffic from other sources too? Looks like some of the other source
addresses are controlled by the DOSers. Possibly used to detect filters?

These clients may look similar to the DOS attack, but there are subtle
differences:

Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: view external: query (cache) './NS/IN' denied
Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: view external: query (cache) './NS/IN' denied
Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656: view external: query (cache) './NS/IN' denied
Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662: view external: query (cache) './NS/IN' denied
Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: view external: query (cache) './NS/IN' denied
Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: view external: query (cache) './NS/IN' denied
Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: view external: query (cache) './NS/IN' denied
Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: view external: query (cache) './NS/IN' denied
Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664: view external: query (cache) './NS/IN' denied
Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: view external: query (cache) './NS/IN' denied
Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: view external: query (cache) './NS/IN' denied
Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667: view external: query (cache) './NS/IN' denied
Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670: view external: query (cache) './NS/IN' denied
Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: view external: query (cache) './NS/IN' denied
Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: view external: query (cache) './NS/IN' denied
Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: view external: query (cache) './NS/IN' denied
Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: view external: query (cache) './NS/IN' denied
Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673: view external: query (cache) './NS/IN' denied
Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678: view external: query (cache) './NS/IN' denied
Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: view external: query (cache) './NS/IN' denied
Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: view external: query (cache) './NS/IN' denied
Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: view external: query (cache) './NS/IN' denied
Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: view external: query (cache) './NS/IN' denied
Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679: view external: query (cache) './NS/IN' denied

Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: view external: query (cache) './NS/IN' denied
Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: view external: query (cache) './NS/IN' denied
Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: view external: query (cache) './NS/IN' denied
Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: view external: query (cache) './NS/IN' denied
Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: view external: query (cache) './NS/IN' denied
Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: view external: query (cache) './NS/IN' denied
Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: view external: query (cache) './NS/IN' denied
Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: view external: query (cache) './NS/IN' denied
Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: view external: query (cache) './NS/IN' denied
Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: view external: query (cache) './NS/IN' denied
Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: view external: query (cache) './NS/IN' denied
Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: view external: query (cache) './NS/IN' denied
Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: view external: query (cache) './NS/IN' denied
Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: view external: query (cache) './NS/IN' denied
Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: view external: query (cache) './NS/IN' denied
Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: view external: query (cache) './NS/IN' denied
Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: view external: query (cache) './NS/IN' denied
Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: view external: query (cache) './NS/IN' denied

Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: view external: query (cache) './NS/IN' denied
Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: view external: query (cache) './NS/IN' denied
Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: view external: query (cache) './NS/IN' denied
Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: view external: query (cache) './NS/IN' denied
Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: view external: query (cache) './NS/IN' denied
Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: view external: query (cache) './NS/IN' denied
Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: view external: query (cache) './NS/IN' denied
Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: view external: query (cache) './NS/IN' denied
Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473: view external: query (cache) './NS/IN' denied
Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: view external: query (cache) './NS/IN' denied
Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: view external: query (cache) './NS/IN' denied
Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: view external: query (cache) './NS/IN' denied
Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: view external: query (cache) './NS/IN' denied
Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: view external: query (cache) './NS/IN' denied
Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: view external: query (cache) './NS/IN' denied
Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574: view external: query (cache) './NS/IN' denied
Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: view external: query (cache) './NS/IN' denied
Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: view external: query (cache) './NS/IN' denied

Notice the pattern:
3 probes every 38 minutes
Each probe from the same source port
Source port increases slowly and steadily

This looks like some application actually waiting for a response. The
slow source port change is probably an indication that this client only
tests a small number of DNS servers. I guess that this client is either
one of the many bots used to send the spoofed requests, or maybe a bot
not allowed to spoof its source and therefore used for other
purposes. In any case, I assume that other DNS servers may see such
control sessions coming from other addresses.

These 3 clients started probing my DNS server almost simultaneously on January 8th:

Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: view external: query (cache) './NS/IN' denied
Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: view external: query (cache) './NS/IN' denied
Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: view external: query (cache) './NS/IN' denied
Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: view external: query (cache) './NS/IN' denied
Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: view external: query (cache) './NS/IN' denied
Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299: view external: query (cache) './NS/IN' denied
Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: view external: query (cache) './NS/IN' denied
Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: view external: query (cache) './NS/IN' denied
Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: view external: query (cache) './NS/IN' denied

Maybe preparing for the attack on ISPrime? I didn't start receiving
spoofed requests from 66.230.128.15/66.230.160.1 before January 20th

I just tried filtering the probing addresses. This made the probing
stop immediately after dropping a set of 3 probes. But the spoofed
requests continuted at the same rate as before, so this does not support
my theory.

However, I believe it would be too much of a coincidence if there isn't
some connection between the probing and the DOS attack. It would be
interesting to hear if others see similar probing.

Bjørn

pr at isprime

Jan 23, 2009, 10:11 AM

Post #9 of 21 (5264 views)
Permalink

Re: isprime DOS in progress [In reply to]

Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
seems to have stopped for now.

-Phil
On Jan 22, 2009, at 6:01 AM, Bj�rn Mork wrote:

> Graeme Fowler <graeme [at] graemef> writes:
>
>> I've been seeing a lot of noise from the latter two addresses after
>> switching on query logging (and finishing an application of Team
>> Cymru's
>> excellent template) so I decided to DROP traffic from the addresses
>> (with source port != 53) at the hosts in question.
>>
>> Well, blow me down if they didn't completely stop talking to me. Four
>> dropped packets each, and they've gone away.
>>
>> Something smells "not quite right" here - if the traffic is
>> spoofed, and
>> my "Refused" responses have been flying right back to the *real* IP
>> addresses, how are the spoofing hosts to know that I'm dropping the
>> traffic?
>
> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
> traffic from other sources too? Looks like some of the other source
> addresses are controlled by the DOSers. Possibly used to detect
> filters?
>
> These clients may look similar to the DOS attack, but there are subtle
> differences:
>
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
>
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
>
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
>
>
> Notice the pattern:
> 3 probes every 38 minutes
> Each probe from the same source port
> Source port increases slowly and steadily
>
> This looks like some application actually waiting for a response. The
> slow source port change is probably an indication that this client
> only
> tests a small number of DNS servers. I guess that this client is
> either
> one of the many bots used to send the spoofed requests, or maybe a bot
> not allowed to spoof its source and therefore used for other
> purposes. In any case, I assume that other DNS servers may see such
> control sessions coming from other addresses.
>
> These 3 clients started probing my DNS server almost simultaneously
> on January 8th:
>
>
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
>
> Maybe preparing for the attack on ISPrime? I didn't start receiving
> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>
>
> I just tried filtering the probing addresses. This made the probing
> stop immediately after dropping a set of 3 probes. But the spoofed
> requests continuted at the same rate as before, so this does not
> support
> my theory.
>
> However, I believe it would be too much of a coincidence if there
> isn't
> some connection between the probing and the DOS attack. It would be
> interesting to hear if others see similar probing.
>
>
>
> Bj�rn
>

stevel at dedicatedservers

Jan 23, 2009, 11:46 AM

Post #10 of 21 (5265 views)
Permalink

RE: isprime DOS in progress [In reply to]

Hi,

I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows 'from' 66.230.160.1

Regards,
Steve

-----Original Message-----
From: Phil Rosenthal [mailto:pr [at] isprime]
Sent: Saturday, 24 January 2009 4:12 AM
To: nanog [at] nanog
Subject: Re: isprime DOS in progress

Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
seems to have stopped for now.

-Phil
On Jan 22, 2009, at 6:01 AM, Bj�rn Mork wrote:

> Graeme Fowler <graeme [at] graemef> writes:
>
>> I've been seeing a lot of noise from the latter two addresses after
>> switching on query logging (and finishing an application of Team
>> Cymru's
>> excellent template) so I decided to DROP traffic from the addresses
>> (with source port != 53) at the hosts in question.
>>
>> Well, blow me down if they didn't completely stop talking to me. Four
>> dropped packets each, and they've gone away.
>>
>> Something smells "not quite right" here - if the traffic is
>> spoofed, and
>> my "Refused" responses have been flying right back to the *real* IP
>> addresses, how are the spoofing hosts to know that I'm dropping the
>> traffic?
>
> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
> traffic from other sources too? Looks like some of the other source
> addresses are controlled by the DOSers. Possibly used to detect
> filters?
>
> These clients may look similar to the DOS attack, but there are subtle
> differences:
>
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
> view external: query (cache) './NS/IN' denied
>
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> view external: query (cache) './NS/IN' denied
>
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> view external: query (cache) './NS/IN' denied
>
>
> Notice the pattern:
> 3 probes every 38 minutes
> Each probe from the same source port
> Source port increases slowly and steadily
>
> This looks like some application actually waiting for a response. The
> slow source port change is probably an indication that this client
> only
> tests a small number of DNS servers. I guess that this client is
> either
> one of the many bots used to send the spoofed requests, or maybe a bot
> not allowed to spoof its source and therefore used for other
> purposes. In any case, I assume that other DNS servers may see such
> control sessions coming from other addresses.
>
> These 3 clients started probing my DNS server almost simultaneously
> on January 8th:
>
>
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> view external: query (cache) './NS/IN' denied
>
> Maybe preparing for the attack on ISPrime? I didn't start receiving
> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>
>
> I just tried filtering the probing addresses. This made the probing
> stop immediately after dropping a set of 3 probes. But the spoofed
> requests continuted at the same rate as before, so this does not
> support
> my theory.
>
> However, I believe it would be too much of a coincidence if there
> isn't
> some connection between the probing and the DOS attack. It would be
> interesting to hear if others see similar probing.
>
>
>
> Bj�rn
>

luke at sheldrick

Jan 23, 2009, 12:20 PM

Post #11 of 21 (5255 views)
Permalink

RE: isprime DOS in progress [In reply to]

Looks to me like the target has moved, anyone else seeing similar?

Jan 23 20:19:08 LND02 named[9611]: client 63.217.28.226#39489: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:09 LND02 named[9611]: client 63.217.28.226#20558: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:11 LND02 named[9611]: client 63.217.28.226#38525: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:12 LND02 named[9611]: client 63.217.28.226#41535: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:12 LND02 named[9611]: client 63.217.28.226#51220: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:13 LND02 named[9611]: client 63.217.28.226#28869: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:14 LND02 named[9611]: client 63.217.28.226#12337: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:15 LND02 named[9611]: client 63.217.28.226#41346: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:15 LND02 named[9611]: client 63.217.28.226#56831: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:17 LND02 named[9611]: client 63.217.28.226#13352: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:18 LND02 named[9611]: client 63.217.28.226#55466: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:18 LND02 named[9611]: client 63.217.28.226#24586: view
external: query (cache) './NS/IN' denied
Jan 23 20:19:19 LND02 named[9611]: client 63.217.28.226#43105: view
external: query (cache) './NS/IN' denied

On Fri, 2009-01-23 at 19:46 +0000, Steven Lisson wrote:
> Hi,
>
> I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows 'from' 66.230.160.1
>
> Regards,
> Steve
>
> -----Original Message-----
> From: Phil Rosenthal [mailto:pr [at] isprime]
> Sent: Saturday, 24 January 2009 4:12 AM
> To: nanog [at] nanog
> Subject: Re: isprime DOS in progress
>
> Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
> seems to have stopped for now.
>
> -Phil
> On Jan 22, 2009, at 6:01 AM, Bjørn Mork wrote:
>
> > Graeme Fowler <graeme [at] graemef> writes:
> >
> >> I've been seeing a lot of noise from the latter two addresses after
> >> switching on query logging (and finishing an application of Team
> >> Cymru's
> >> excellent template) so I decided to DROP traffic from the addresses
> >> (with source port != 53) at the hosts in question.
> >>
> >> Well, blow me down if they didn't completely stop talking to me. Four
> >> dropped packets each, and they've gone away.
> >>
> >> Something smells "not quite right" here - if the traffic is
> >> spoofed, and
> >> my "Refused" responses have been flying right back to the *real* IP
> >> addresses, how are the spoofing hosts to know that I'm dropping the
> >> traffic?
> >
> > Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
> > traffic from other sources too? Looks like some of the other source
> > addresses are controlled by the DOSers. Possibly used to detect
> > filters?
> >
> > These clients may look similar to the DOS attack, but there are subtle
> > differences:
> >
> > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> > view external: query (cache) './NS/IN' denied
> > Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
> > view external: query (cache) './NS/IN' denied
> >
> > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > view external: query (cache) './NS/IN' denied
> > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > view external: query (cache) './NS/IN' denied
> >
> > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> > view external: query (cache) './NS/IN' denied
> > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> > view external: query (cache) './NS/IN' denied
> >
> >
> > Notice the pattern:
> > 3 probes every 38 minutes
> > Each probe from the same source port
> > Source port increases slowly and steadily
> >
> > This looks like some application actually waiting for a response. The
> > slow source port change is probably an indication that this client
> > only
> > tests a small number of DNS servers. I guess that this client is
> > either
> > one of the many bots used to send the spoofed requests, or maybe a bot
> > not allowed to spoof its source and therefore used for other
> > purposes. In any case, I assume that other DNS servers may see such
> > control sessions coming from other addresses.
> >
> > These 3 clients started probing my DNS server almost simultaneously
> > on January 8th:
> >
> >
> > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > view external: query (cache) './NS/IN' denied
> > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > view external: query (cache) './NS/IN' denied
> >
> > Maybe preparing for the attack on ISPrime? I didn't start receiving
> > spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
> >
> >
> > I just tried filtering the probing addresses. This made the probing
> > stop immediately after dropping a set of 3 probes. But the spoofed
> > requests continuted at the same rate as before, so this does not
> > support
> > my theory.
> >
> > However, I believe it would be too much of a coincidence if there
> > isn't
> > some connection between the probing and the DOS attack. It would be
> > interesting to hear if others see similar probing.
> >
> >
> >
> > Bjørn
> >
>
>
>

jabley at hopcount

Jan 23, 2009, 12:33 PM

Post #12 of 21 (5263 views)
Permalink

Re: isprime DOS in progress [In reply to]

On 2009-01-23, at 14:46, Steven Lisson wrote:

> I agree with seeing no traffic to/from 66.230.128.15 but am still
> seeing flows 'from' 66.230.160.1

Are they responses to queries? Or are they queries directed at servers
in your network? The latter are to be expected, I think.

Joe

copraphage at gmail

Jan 23, 2009, 1:21 PM

Post #13 of 21 (5246 views)
Permalink

Re: isprime DOS in progress [In reply to]

We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do the same :/

On Fri, Jan 23, 2009 at 3:20 PM, Luke Sheldrick <luke [at] sheldrick> wrote:
>
> Looks to me like the target has moved, anyone else seeing similar?
>
> Jan 23 20:19:08 LND02 named[9611]: client 63.217.28.226#39489: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:09 LND02 named[9611]: client 63.217.28.226#20558: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:11 LND02 named[9611]: client 63.217.28.226#38525: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:12 LND02 named[9611]: client 63.217.28.226#41535: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:12 LND02 named[9611]: client 63.217.28.226#51220: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:13 LND02 named[9611]: client 63.217.28.226#28869: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:14 LND02 named[9611]: client 63.217.28.226#12337: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:15 LND02 named[9611]: client 63.217.28.226#41346: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:15 LND02 named[9611]: client 63.217.28.226#56831: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:17 LND02 named[9611]: client 63.217.28.226#13352: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:18 LND02 named[9611]: client 63.217.28.226#55466: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:18 LND02 named[9611]: client 63.217.28.226#24586: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:19 LND02 named[9611]: client 63.217.28.226#43105: view
> external: query (cache) './NS/IN' denied
>
>
>
> On Fri, 2009-01-23 at 19:46 +0000, Steven Lisson wrote:
> > Hi,
> >
> > I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows 'from' 66.230.160.1
> >
> > Regards,
> > Steve
> >
> > -----Original Message-----
> > From: Phil Rosenthal [mailto:pr [at] isprime]
> > Sent: Saturday, 24 January 2009 4:12 AM
> > To: nanog [at] nanog
> > Subject: Re: isprime DOS in progress
> >
> > Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
> > seems to have stopped for now.
> >
> > -Phil
> > On Jan 22, 2009, at 6:01 AM, Bj�rn Mork wrote:
> >
> > > Graeme Fowler <graeme [at] graemef> writes:
> > >
> > >> I've been seeing a lot of noise from the latter two addresses after
> > >> switching on query logging (and finishing an application of Team
> > >> Cymru's
> > >> excellent template) so I decided to DROP traffic from the addresses
> > >> (with source port != 53) at the hosts in question.
> > >>
> > >> Well, blow me down if they didn't completely stop talking to me. Four
> > >> dropped packets each, and they've gone away.
> > >>
> > >> Something smells "not quite right" here - if the traffic is
> > >> spoofed, and
> > >> my "Refused" responses have been flying right back to the *real* IP
> > >> addresses, how are the spoofing hosts to know that I'm dropping the
> > >> traffic?
> > >
> > > Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
> > > traffic from other sources too? Looks like some of the other source
> > > addresses are controlled by the DOSers. Possibly used to detect
> > > filters?
> > >
> > > These clients may look similar to the DOS attack, but there are subtle
> > > differences:
> > >
> > > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
> > > view external: query (cache) './NS/IN' denied
> > >
> > > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
> > > view external: query (cache) './NS/IN' denied
> > >
> > > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
> > > view external: query (cache) './NS/IN' denied
> > >
> > >
> > > Notice the pattern:
> > > 3 probes every 38 minutes
> > > Each probe from the same source port
> > > Source port increases slowly and steadily
> > >
> > > This looks like some application actually waiting for a response. The
> > > slow source port change is probably an indication that this client
> > > only
> > > tests a small number of DNS servers. I guess that this client is
> > > either
> > > one of the many bots used to send the spoofed requests, or maybe a bot
> > > not allowed to spoof its source and therefore used for other
> > > purposes. In any case, I assume that other DNS servers may see such
> > > control sessions coming from other addresses.
> > >
> > > These 3 clients started probing my DNS server almost simultaneously
> > > on January 8th:
> > >
> > >
> > > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > > view external: query (cache) './NS/IN' denied
> > > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
> > > view external: query (cache) './NS/IN' denied
> > >
> > > Maybe preparing for the attack on ISPrime? I didn't start receiving
> > > spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
> > >
> > >
> > > I just tried filtering the probing addresses. This made the probing
> > > stop immediately after dropping a set of 3 probes. But the spoofed
> > > requests continuted at the same rate as before, so this does not
> > > support
> > > my theory.
> > >
> > > However, I believe it would be too much of a coincidence if there
> > > isn't
> > > some connection between the probing and the DOS attack. It would be
> > > interesting to hear if others see similar probing.
> > >
> > >
> > >
> > > Bj�rn
> > >
> >
> >
> >
>
>

chort at smtps

Jan 23, 2009, 2:26 PM

Post #14 of 21 (5311 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:

> Looks to me like the target has moved, anyone else seeing similar?
>
> Jan 23 20:19:08 LND02 named[9611]: client 63.217.28.226#39489: view
> external: query (cache) './NS/IN' denied
> Jan 23 20:19:09 LND02 named[9611]: client 63.217.28.226#20558: view
> external: query (cache) './NS/IN' denied
>

Seeing the same here, it's 1 query per second per nameserver--time to
work some magic with PF.

--
bk

chrome at stupendous

Jan 23, 2009, 3:42 PM

Post #15 of 21 (5260 views)
Permalink

Re: isprime DOS in progress [In reply to]

On 24/01/2009, at 6:46 AM, Steven Lisson wrote:

> Hi,
>
> I agree with seeing no traffic to/from 66.230.128.15 but am still
> seeing flows 'from' 66.230.160.1
>
> Regards,
> Steve

Hi Steve,

There is at least an iptables rule you can use to drop this specific
query, assuming your nameservers run linux.

http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/

The bind-users mailing list suggested having the ISPs trace back the
flows and find the networks emitting the spoofed packets, and have
those networks implement BCP 38. While that's the 'right' solution
(everyone should be doing ingress filtering, sure, impossible to argue
against it), not every network out there is operated by people who
give a damn.

This will work at least until the kiddies improve their scripts to
query for names that actually exist.

On 24/01/2009, at 8:21 AM, Chris McDonald wrote:

> We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do
> the same :/

Good luck with that. Right now they're targetting ISPrime, and you've
just made the DoS even more effective for them. With any luck, the
rest of the world will follow suit and the bad guys win! yay! :)

Short of getting the rest of the world to properly implement ingress
filtering (ha, ha), I think dropping the specific packets that
generate the reflected traffic is good enough for now. The load on the
reflectors is minimal.

Nathan.

Mark_Andrews at isc

Jan 23, 2009, 4:00 PM

Post #16 of 21 (5257 views)
Permalink

Re: isprime DOS in progress [In reply to]

In message <9A251497-E94C-4693-8E89-3FD3ACF6D138 [at] stupendous>, Nathan Ollere
nshaw writes:
> On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
>
> > Hi,
> >
> > I agree with seeing no traffic to/from 66.230.128.15 but am still
> > seeing flows 'from' 66.230.160.1
> >
> > Regards,
> > Steve
>
> Hi Steve,
>
> There is at least an iptables rule you can use to drop this specific
> query, assuming your nameservers run linux.
>
> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursiv
> e-queries/
>
> The bind-users mailing list suggested having the ISPs trace back the
> flows and find the networks emitting the spoofed packets, and have
> those networks implement BCP 38.

It was also said here.

> While that's the 'right' solution
> (everyone should be doing ingress filtering, sure, impossible to argue
> against it), not every network out there is operated by people who
> give a damn.

I would suggest that you don't want to peer with such
networks.

I would suggest that deploying BCP 38 be a requirement for
peering.

> This will work at least until the kiddies improve their scripts to
> query for names that actually exist.
>
> On 24/01/2009, at 8:21 AM, Chris McDonald wrote:
>
> > We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do
> > the same :/
>
> Good luck with that. Right now they're targetting ISPrime, and you've
> just made the DoS even more effective for them. With any luck, the
> rest of the world will follow suit and the bad guys win! yay! :)
>
> Short of getting the rest of the world to properly implement ingress
> filtering (ha, ha), I think dropping the specific packets that
> generate the reflected traffic is good enough for now. The load on the
> reflectors is minimal.
>
> Nathan.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews [at] isc

noel.butler at ausics

Jan 23, 2009, 5:50 PM

Post #17 of 21 (5263 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Sat, 2009-01-24 at 07:21, Chris McDonald wrote:

> We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do the same :/
>

Wrong approach, they are *innocent* in this as are the new targets.

insert into your favourite acl:
deny udp host 66.230.160.1 neq 53 any eq 53
deny udp host 66.230.128.15 neq 53 any eq 53

But it's much less work to add a filter on the name server as others
have mentioned.

chort at smtps

Jan 24, 2009, 11:03 AM

Post #18 of 21 (5190 views)
Permalink

Re: isprime DOS in progress [In reply to]

On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:

> Looks to me like the target has moved, anyone else seeing similar?

It's switched again. The new target is 206.71.158.30 .

Over night it cycled through several different IPs (testing the
waters?), and finally started on this one around 10:26 Pacific time
this morning.

Timeline below.

--
bk

Jan 23 23:24:47 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep named[32762]: client 208.78.169.236#33027:
view ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep last message repeated 2 times
Jan 24 00:51:11 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep last message repeated 2 times
Jan 24 00:51:30 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:30 imhotep last message repeated 2 times
Jan 24 01:54:44 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 01:54:44 imhotep last message repeated 2 times
Jan 24 01:55:44 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 01:55:44 imhotep last message repeated 2 times
Jan 24 01:57:46 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 01:57:46 imhotep last message repeated 2 times
Jan 24 02:58:29 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 02:58:30 imhotep last message repeated 2 times
Jan 24 03:00:34 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 03:00:35 imhotep last message repeated 2 times
Jan 24 03:05:05 imhotep named[32762]: client 208.78.169.236#33027:
view ext: query (cache) './NS/IN' denied
Jan 24 03:05:05 imhotep last message repeated 2 times
Jan 24 03:07:49 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 04:02:38 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 04:02:38 imhotep last message repeated 2 times
Jan 24 04:05:43 imhotep named[32762]: client 204.11.51.59#32802: view
ext: query (cache) './NS/IN' denied
Jan 24 04:05:43 imhotep last message repeated 2 times
Jan 24 04:12:52 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 04:12:52 imhotep last message repeated 2 times
Jan 24 05:07:37 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 05:07:37 imhotep last message repeated 2 times
Jan 24 05:11:35 imhotep named[32762]: client 204.11.51.59#32802: view
ext: query (cache) './NS/IN' denied
Jan 24 05:11:35 imhotep last message repeated 2 times
Jan 24 05:21:36 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 05:21:37 imhotep last message repeated 2 times
Jan 24 06:16:06 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 06:16:06 imhotep last message repeated 2 times
Jan 24 06:20:19 imhotep named[32762]: client 204.11.51.61#43329: view
ext: query (cache) './NS/IN' denied
Jan 24 06:20:19 imhotep last message repeated 2 times
Jan 24 06:29:37 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 06:29:37 imhotep last message repeated 2 times
Jan 24 06:35:11 imhotep named[32762]: client 149.20.52.161#61452: view
ext: notify question section contains no SOA
Jan 24 07:23:06 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 07:23:06 imhotep last message repeated 2 times
Jan 24 07:28:27 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 07:28:27 imhotep last message repeated 2 times
Jan 24 07:40:25 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 07:40:25 imhotep last message repeated 2 times
Jan 24 08:29:57 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 08:29:57 imhotep last message repeated 2 times
Jan 24 08:36:10 imhotep named[32762]: client 204.11.51.61#43330: view
ext: query (cache) './NS/IN' denied
Jan 24 08:36:11 imhotep last message repeated 2 times
Jan 24 08:52:45 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 08:52:45 imhotep last message repeated 2 times
Jan 24 08:55:54 imhotep named[32762]: client 149.20.58.131#59151: view
ext: query (cache) 'localhost/A/IN' denied
Jan 24 09:36:38 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 09:36:38 imhotep last message repeated 2 times
Jan 24 09:43:53 imhotep named[32762]: client 204.11.51.61#43330: view
ext: query (cache) './NS/IN' denied
Jan 24 09:43:54 imhotep last message repeated 2 times
Jan 24 09:53:56 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 10:05:28 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 10:05:28 imhotep last message repeated 2 times
Jan 24 10:26:09 imhotep named[32762]: client 206.71.158.30#18971: view
ext: query (cache) './NS/IN' denied
Jan 24 10:26:11 imhotep named[32762]: client 206.71.158.30#47622: view
ext: query (cache) './NS/IN' denied
Jan 24 10:26:13 imhotep named[32762]: client 206.71.158.30#16077: view
ext: query (cache) './NS/IN' denied

andrew.fried at gmail

Jan 24, 2009, 9:54 PM

Post #19 of 21 (5131 views)
Permalink

Re: isprime DOS in progress [In reply to]

I extracted all logs from one of my dns servers that reflected an
"'./NS/IN' denied" message, pumped them into a database and ran a few
queries.

The first query shows the number of "denied" messages on my dns server,
sorted by date. The amount of traffic definitely picked up on January 21st:

+-------------+-------------+
| date | count(date) |
+-------------+-------------+
| 03-Jan-2009 | 20 |
| 04-Jan-2009 | 173 |
| 05-Jan-2009 | 407 |
| 06-Jan-2009 | 6429 |
| 07-Jan-2009 | 6391 |
| 08-Jan-2009 | 1421 |
| 09-Jan-2009 | 398 |
| 10-Jan-2009 | 402 |
| 11-Jan-2009 | 257 |
| 12-Jan-2009 | 174 |
| 13-Jan-2009 | 168 |
| 14-Jan-2009 | 451 |
| 15-Jan-2009 | 959 |
| 16-Jan-2009 | 31410 |
| 17-Jan-2009 | 79418 |
| 18-Jan-2009 | 64788 |
| 19-Jan-2009 | 90391 |
| 20-Jan-2009 | 71683 |
| 21-Jan-2009 | 104413 |
| 22-Jan-2009 | 104344 |
| 23-Jan-2009 | 105686 |
| 24-Jan-2009 | 105853 |
| 25-Jan-2009 | 1757 |
+-------------+-------------+

This report shows the number of queries grouped by host IP:

+-----------------+-------------+
| host | count(host) |
+-----------------+-------------+
| 10.168.69.6 | 1059 |
| 123.127.121.245 | 528 |
| 202.106.83.125 | 530 |
| 203.121.29.11 | 426 |
| 203.121.29.12 | 402 |
| 206.71.158.30 | 45047 |
| 209.123.8.64 | 361 |
| 209.123.8.99 | 617 |
| 211.72.249.201 | 786 |
| 211.95.81.245 | 530 |
| 213.61.92.192 | 863 |
| 216.201.82.19 | 4548 |
| 216.201.83.2 | 3411 |
| 216.240.131.173 | 1081 |
| 219.142.91.125 | 530 |
| 220.181.168.251 | 451 |
| 58.26.5.43 | 426 |
| 58.26.5.44 | 367 |
| 60.247.99.245 | 530 |
| 61.129.61.245 | 5 |
| 63.217.28.226 | 130907 |
| 66.230.128.15 | 123551 |
| 66.230.160.1 | 176558 |
| 66.238.93.161 | 789 |
| 69.31.52.214 | 15 |
| 69.50.137.175 | 22068 |
| 69.50.142.11 | 114048 |
| 69.50.142.110 | 15483 |
| 74.86.34.144 | 1188 |
| 76.9.16.171 | 57275 |
| 76.9.31.42 | 72669 |
| 91.199.112.18 | 344 |
+-----------------+-------------+

And finally, I looked at all log entries reflecting the host ip
'206.71.158.30'. The first time my dns server logged that IP address
was on January 24th:

+-------------+-------------+
| date | count(date) |
+-------------+-------------+
| 24-Jan-2009 | 43441 |
| 25-Jan-2009 | 1606 |
+-------------+-------------+

Finally, when I focused strictly on logs from January 24th, 5 hosts came up:

+---------------+-------------+
| host | count(host) |
+---------------+-------------+
| 10.168.69.6 | 51 |
| 206.71.158.30 | 43441 |
| 63.217.28.226 | 57955 |
| 66.230.160.1 | 4014 |
| 76.9.16.171 | 392 |
+---------------+-------------+

A tail end of the logs related to 206.71.158.30 indicate queries
originating, on average, about one second apart:

| 25-Jan-2009 | 00:22:58.644 | 206.71.158.30 |
| 25-Jan-2009 | 00:22:59.056 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.565 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.643 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.949 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:02.640 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.330 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.639 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:05.283 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.646 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.792 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:07.176 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:08.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.556 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:11.509 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:12.652 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.018 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.402 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:14.656 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.783 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:17.736 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:18.666 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.245 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.629 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:20.662 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:22.658 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.010 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.963 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:24.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.472 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.856 | 206.71.158.30 |
+-------------+--------------+---------------+

Andrew

Brian Keefer wrote:
>
>
> On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:
>
>> Looks to me like the target has moved, anyone else seeing similar?
>
> It's switched again. The new target is 206.71.158.30 .
>
> Over night it cycled through several different IPs (testing the
> waters?), and finally started on this one around 10:26 Pacific time
> this morning.
>
> Timeline below.
>
> --
> bk
>
> Jan 23 23:24:47 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep named[32762]: client 208.78.169.236#33027:
> view ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep last message repeated 2 times
> Jan 24 00:51:11 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep last message repeated 2 times
> Jan 24 00:51:30 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:30 imhotep last message repeated 2 times
> Jan 24 01:54:44 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 01:54:44 imhotep last message repeated 2 times
> Jan 24 01:55:44 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 01:55:44 imhotep last message repeated 2 times
> Jan 24 01:57:46 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 01:57:46 imhotep last message repeated 2 times
> Jan 24 02:58:29 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 02:58:30 imhotep last message repeated 2 times
> Jan 24 03:00:34 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 03:00:35 imhotep last message repeated 2 times
> Jan 24 03:05:05 imhotep named[32762]: client 208.78.169.236#33027:
> view ext: query (cache) './NS/IN' denied
> Jan 24 03:05:05 imhotep last message repeated 2 times
> Jan 24 03:07:49 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:02:38 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:02:38 imhotep last message repeated 2 times
> Jan 24 04:05:43 imhotep named[32762]: client 204.11.51.59#32802: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:05:43 imhotep last message repeated 2 times
> Jan 24 04:12:52 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 04:12:52 imhotep last message repeated 2 times
> Jan 24 05:07:37 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 05:07:37 imhotep last message repeated 2 times
> Jan 24 05:11:35 imhotep named[32762]: client 204.11.51.59#32802: view
> ext: query (cache) './NS/IN' denied
> Jan 24 05:11:35 imhotep last message repeated 2 times
> Jan 24 05:21:36 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 05:21:37 imhotep last message repeated 2 times
> Jan 24 06:16:06 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 06:16:06 imhotep last message repeated 2 times
> Jan 24 06:20:19 imhotep named[32762]: client 204.11.51.61#43329: view
> ext: query (cache) './NS/IN' denied
> Jan 24 06:20:19 imhotep last message repeated 2 times
> Jan 24 06:29:37 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 06:29:37 imhotep last message repeated 2 times
> Jan 24 06:35:11 imhotep named[32762]: client 149.20.52.161#61452: view
> ext: notify question section contains no SOA
> Jan 24 07:23:06 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 07:23:06 imhotep last message repeated 2 times
> Jan 24 07:28:27 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 07:28:27 imhotep last message repeated 2 times
> Jan 24 07:40:25 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 07:40:25 imhotep last message repeated 2 times
> Jan 24 08:29:57 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 08:29:57 imhotep last message repeated 2 times
> Jan 24 08:36:10 imhotep named[32762]: client 204.11.51.61#43330: view
> ext: query (cache) './NS/IN' denied
> Jan 24 08:36:11 imhotep last message repeated 2 times
> Jan 24 08:52:45 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 08:52:45 imhotep last message repeated 2 times
> Jan 24 08:55:54 imhotep named[32762]: client 149.20.58.131#59151: view
> ext: query (cache) 'localhost/A/IN' denied
> Jan 24 09:36:38 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 09:36:38 imhotep last message repeated 2 times
> Jan 24 09:43:53 imhotep named[32762]: client 204.11.51.61#43330: view
> ext: query (cache) './NS/IN' denied
> Jan 24 09:43:54 imhotep last message repeated 2 times
> Jan 24 09:53:56 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:05:28 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 10:05:28 imhotep last message repeated 2 times
> Jan 24 10:26:09 imhotep named[32762]: client 206.71.158.30#18971: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:26:11 imhotep named[32762]: client 206.71.158.30#47622: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:26:13 imhotep named[32762]: client 206.71.158.30#16077: view
> ext: query (cache) './NS/IN' denied
>
>
>

--
Andrew Fried
andrew.fried [at] gmail

dga at cs

Jan 25, 2009, 9:23 AM

Post #20 of 21 (5078 views)
Permalink

Re: isprime DOS in progress [In reply to]

I'm not sure you're entirely out of the water yet:

17:13:45.680944 76.9.16.171.53868 > XXXXXXXX.53: 58451+ NS? . (17)
17:13:45.681251 XXXXXXXX.53 > 76.9.16.171.53868: 58451 Refused- 0/0/0
(17)

CIDR: 76.9.0.0/19
NetName: ISPRIME-ARIN-3

In addition to the one that Brian Keefer mentioned a few days ago
(206.71.158.30).

But on that subject, I figured I'd toss in a (sad) anecdote about
security and upgrades. I'd upgraded this nameserver to bind-9 some
time ago, during a bit of a security panic. And in the process, I
screwed it up - I'd updated the machine itself, but had failed to
propagate the changes to the master that sends updates to all of the
servers. The obvious thing happened: after a while, this nameserver
pulled its updates from the master, and downgraded to bind-8 again,
which we didn't notice until I saw it spitting full cached NS
responses to isprime hosts. Human error strikes again. Apologies for
letting my host be an amplifier.

-Dave

On Jan 23, 2009, at 1:11 PM, Phil Rosenthal wrote:

> Just a friendly notice, the attack against
> 66.230.128.15/66.230.160.1 seems to have stopped for now.
>
> -Phil
> On Jan 22, 2009, at 6:01 AM, Bj�rn Mork wrote:
>
>> Graeme Fowler <graeme [at] graemef> writes:
>>
>>> I've been seeing a lot of noise from the latter two addresses after
>>> switching on query logging (and finishing an application of Team
>>> Cymru's
>>> excellent template) so I decided to DROP traffic from the addresses
>>> (with source port != 53) at the hosts in question.
>>>
>>> Well, blow me down if they didn't completely stop talking to me.
>>> Four
>>> dropped packets each, and they've gone away.
>>>
>>> Something smells "not quite right" here - if the traffic is
>>> spoofed, and
>>> my "Refused" responses have been flying right back to the *real* IP
>>> addresses, how are the spoofing hosts to know that I'm dropping the
>>> traffic?
>>
>> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
>> traffic from other sources too? Looks like some of the other source
>> addresses are controlled by the DOSers. Possibly used to detect
>> filters?
>>
>> These clients may look similar to the DOS attack, but there are
>> subtle
>> differences:
>>
>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
>> view external: query (cache) './NS/IN' denied
>> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
>> view external: query (cache) './NS/IN' denied
>>
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>> view external: query (cache) './NS/IN' denied
>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>> view external: query (cache) './NS/IN' denied
>>
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
>> view external: query (cache) './NS/IN' denied
>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
>> view external: query (cache) './NS/IN' denied
>>
>>
>> Notice the pattern:
>> 3 probes every 38 minutes
>> Each probe from the same source port
>> Source port increases slowly and steadily
>>
>> This looks like some application actually waiting for a response.
>> The
>> slow source port change is probably an indication that this client
>> only
>> tests a small number of DNS servers. I guess that this client is
>> either
>> one of the many bots used to send the spoofed requests, or maybe a
>> bot
>> not allowed to spoof its source and therefore used for other
>> purposes. In any case, I assume that other DNS servers may see such
>> control sessions coming from other addresses.
>>
>> These 3 clients started probing my DNS server almost simultaneously
>> on January 8th:
>>
>>
>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>> view external: query (cache) './NS/IN' denied
>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>> view external: query (cache) './NS/IN' denied
>>
>> Maybe preparing for the attack on ISPrime? I didn't start receiving
>> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>>
>>
>> I just tried filtering the probing addresses. This made the probing
>> stop immediately after dropping a set of 3 probes. But the spoofed
>> requests continuted at the same rate as before, so this does not
>> support
>> my theory.
>>
>> However, I believe it would be too much of a coincidence if there
>> isn't
>> some connection between the probing and the DOS attack. It would be
>> interesting to hear if others see similar probing.
>>
>>
>>
>> Bj�rn
>>
>
>
>

Attachments:

PGP.sig (0.19 KB)

andrew.fried at gmail

Jan 25, 2009, 11:46 AM

Post #21 of 21 (5078 views)
Permalink

Re: isprime DOS in progress [In reply to]

I just took a snapshot of my bind logs from the past two hours (on
01/25/209 at 14:40 EST). Based on what I'm seeing, four DNS servers are
still under attack at varying levels. 206.71.158.30 is bearing the
brunt of the attacks. And as you indicated, 76.9.16.171 is still being
targeted, although to a lesser degree than before.

+---------------+-------------+
| host | count(host) |
+---------------+-------------+
| 10.168.69.6 | 3 |
| 206.71.158.30 | 6513 |
| 63.217.28.226 | 182 |
| 66.230.160.1 | 266 |
| 76.9.16.171 | 92 |
+---------------+-------------+

--
Andrew Fried
andrew.fried [at] gmail

David Andersen wrote:
> I'm not sure you're entirely out of the water yet:
>
> 17:13:45.680944 76.9.16.171.53868 > XXXXXXXX.53: 58451+ NS? . (17)
> 17:13:45.681251 XXXXXXXX.53 > 76.9.16.171.53868: 58451 Refused- 0/0/0
> (17)
>
> CIDR: 76.9.0.0/19
> NetName: ISPRIME-ARIN-3
>
> In addition to the one that Brian Keefer mentioned a few days ago
> (206.71.158.30).
>
> But on that subject, I figured I'd toss in a (sad) anecdote about
> security and upgrades. I'd upgraded this nameserver to bind-9 some
> time ago, during a bit of a security panic. And in the process, I
> screwed it up - I'd updated the machine itself, but had failed to
> propagate the changes to the master that sends updates to all of the
> servers. The obvious thing happened: after a while, this nameserver
> pulled its updates from the master, and downgraded to bind-8 again,
> which we didn't notice until I saw it spitting full cached NS
> responses to isprime hosts. Human error strikes again. Apologies for
> letting my host be an amplifier.
>
> -Dave
>
>
> On Jan 23, 2009, at 1:11 PM, Phil Rosenthal wrote:
>
>> Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
>> seems to have stopped for now.
>>
>> -Phil
>> On Jan 22, 2009, at 6:01 AM, Bj�rn Mork wrote:
>>
>>> Graeme Fowler <graeme [at] graemef> writes:
>>>
>>>> I've been seeing a lot of noise from the latter two addresses after
>>>> switching on query logging (and finishing an application of Team
>>>> Cymru's
>>>> excellent template) so I decided to DROP traffic from the addresses
>>>> (with source port != 53) at the hosts in question.
>>>>
>>>> Well, blow me down if they didn't completely stop talking to me. Four
>>>> dropped packets each, and they've gone away.
>>>>
>>>> Something smells "not quite right" here - if the traffic is
>>>> spoofed, and
>>>> my "Refused" responses have been flying right back to the *real* IP
>>>> addresses, how are the spoofing hosts to know that I'm dropping the
>>>> traffic?
>>>
>>> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
>>> traffic from other sources too? Looks like some of the other source
>>> addresses are controlled by the DOSers. Possibly used to detect
>>> filters?
>>>
>>> These clients may look similar to the DOS attack, but there are subtle
>>> differences:
>>>
>>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679:
>>> view external: query (cache) './NS/IN' denied
>>>
>>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858:
>>> view external: query (cache) './NS/IN' denied
>>>
>>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574:
>>> view external: query (cache) './NS/IN' denied
>>>
>>>
>>> Notice the pattern:
>>> 3 probes every 38 minutes
>>> Each probe from the same source port
>>> Source port increases slowly and steadily
>>>
>>> This looks like some application actually waiting for a response. The
>>> slow source port change is probably an indication that this client only
>>> tests a small number of DNS servers. I guess that this client is
>>> either
>>> one of the many bots used to send the spoofed requests, or maybe a bot
>>> not allowed to spoof its source and therefore used for other
>>> purposes. In any case, I assume that other DNS servers may see such
>>> control sessions coming from other addresses.
>>>
>>> These 3 clients started probing my DNS server almost simultaneously
>>> on January 8th:
>>>
>>>
>>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>>> view external: query (cache) './NS/IN' denied
>>> Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112:
>>> view external: query (cache) './NS/IN' denied
>>>
>>> Maybe preparing for the attack on ISPrime? I didn't start receiving
>>> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>>>
>>>
>>> I just tried filtering the probing addresses. This made the probing
>>> stop immediately after dropping a set of 3 probes. But the spoofed
>>> requests continuted at the same rate as before, so this does not
>>> support
>>> my theory.
>>>
>>> However, I believe it would be too much of a coincidence if there isn't
>>> some connection between the probing and the DOS attack. It would be
>>> interesting to hear if others see similar probing.
>>>
>>>
>>>
>>> Bj�rn
>>>
>>
>>
>>
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads