Hi, I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows 'from' 66.230.160.1
Regards, Steve -----Original Message----- From: Phil Rosenthal [mailto:p...@isprime.com] Sent: Saturday, 24 January 2009 4:12 AM To: nanog@nanog.org Subject: Re: isprime DOS in progress Just a friendly notice, the attack against 66.230.128.15/66.230.160.1 seems to have stopped for now. -Phil On Jan 22, 2009, at 6:01 AM, Bjørn Mork wrote: > Graeme Fowler <gra...@graemef.net> writes: > >> I've been seeing a lot of noise from the latter two addresses after >> switching on query logging (and finishing an application of Team >> Cymru's >> excellent template) so I decided to DROP traffic from the addresses >> (with source port != 53) at the hosts in question. >> >> Well, blow me down if they didn't completely stop talking to me. Four >> dropped packets each, and they've gone away. >> >> Something smells "not quite right" here - if the traffic is >> spoofed, and >> my "Refused" responses have been flying right back to the *real* IP >> addresses, how are the spoofing hosts to know that I'm dropping the >> traffic? > > Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping > traffic from other sources too? Looks like some of the other source > addresses are controlled by the DOSers. Possibly used to detect > filters? > > These clients may look similar to the DOS attack, but there are subtle > differences: > > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: > view external: query (cache) './NS/IN' denied > Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: > view external: query (cache) './NS/IN' denied > Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656: > view external: query (cache) './NS/IN' denied > Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662: > view external: query (cache) './NS/IN' denied > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: > view external: query (cache) './NS/IN' denied > Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: > view external: query (cache) './NS/IN' denied > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: > view external: query (cache) './NS/IN' denied > Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: > view external: query (cache) './NS/IN' denied > Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664: > view external: query (cache) './NS/IN' denied > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: > view external: query (cache) './NS/IN' denied > Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: > view external: query (cache) './NS/IN' denied > Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667: > view external: query (cache) './NS/IN' denied > Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670: > view external: query (cache) './NS/IN' denied > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: > view external: query (cache) './NS/IN' denied > Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: > view external: query (cache) './NS/IN' denied > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: > view external: query (cache) './NS/IN' denied > Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: > view external: query (cache) './NS/IN' denied > Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673: > view external: query (cache) './NS/IN' denied > Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678: > view external: query (cache) './NS/IN' denied > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: > view external: query (cache) './NS/IN' denied > Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: > view external: query (cache) './NS/IN' denied > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: > view external: query (cache) './NS/IN' denied > Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: > view external: query (cache) './NS/IN' denied > Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679: > view external: query (cache) './NS/IN' denied > > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: > view external: query (cache) './NS/IN' denied > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: > view external: query (cache) './NS/IN' denied > Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: > view external: query (cache) './NS/IN' denied > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: > view external: query (cache) './NS/IN' denied > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: > view external: query (cache) './NS/IN' denied > Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: > view external: query (cache) './NS/IN' denied > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: > view external: query (cache) './NS/IN' denied > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: > view external: query (cache) './NS/IN' denied > Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: > view external: query (cache) './NS/IN' denied > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: > view external: query (cache) './NS/IN' denied > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: > view external: query (cache) './NS/IN' denied > Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: > view external: query (cache) './NS/IN' denied > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: > view external: query (cache) './NS/IN' denied > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: > view external: query (cache) './NS/IN' denied > Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: > view external: query (cache) './NS/IN' denied > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: > view external: query (cache) './NS/IN' denied > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: > view external: query (cache) './NS/IN' denied > Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: > view external: query (cache) './NS/IN' denied > > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: > view external: query (cache) './NS/IN' denied > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: > view external: query (cache) './NS/IN' denied > Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: > view external: query (cache) './NS/IN' denied > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: > view external: query (cache) './NS/IN' denied > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: > view external: query (cache) './NS/IN' denied > Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: > view external: query (cache) './NS/IN' denied > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: > view external: query (cache) './NS/IN' denied > Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: > view external: query (cache) './NS/IN' denied > Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473: > view external: query (cache) './NS/IN' denied > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: > view external: query (cache) './NS/IN' denied > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: > view external: query (cache) './NS/IN' denied > Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: > view external: query (cache) './NS/IN' denied > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: > view external: query (cache) './NS/IN' denied > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: > view external: query (cache) './NS/IN' denied > Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: > view external: query (cache) './NS/IN' denied > Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574: > view external: query (cache) './NS/IN' denied > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: > view external: query (cache) './NS/IN' denied > Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: > view external: query (cache) './NS/IN' denied > > > Notice the pattern: > 3 probes every 38 minutes > Each probe from the same source port > Source port increases slowly and steadily > > This looks like some application actually waiting for a response. The > slow source port change is probably an indication that this client > only > tests a small number of DNS servers. I guess that this client is > either > one of the many bots used to send the spoofed requests, or maybe a bot > not allowed to spoof its source and therefore used for other > purposes. In any case, I assume that other DNS servers may see such > control sessions coming from other addresses. > > These 3 clients started probing my DNS server almost simultaneously > on January 8th: > > > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: > view external: query (cache) './NS/IN' denied > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: > view external: query (cache) './NS/IN' denied > Jan 8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: > view external: query (cache) './NS/IN' denied > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: > view external: query (cache) './NS/IN' denied > Jan 8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: > view external: query (cache) './NS/IN' denied > Jan 8 19:36:30 canardo named[26496]: client 66.238.93.161#11299: > view external: query (cache) './NS/IN' denied > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: > view external: query (cache) './NS/IN' denied > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: > view external: query (cache) './NS/IN' denied > Jan 8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: > view external: query (cache) './NS/IN' denied > > Maybe preparing for the attack on ISPrime? I didn't start receiving > spoofed requests from 66.230.128.15/66.230.160.1 before January 20th > > > I just tried filtering the probing addresses. This made the probing > stop immediately after dropping a set of 3 probes. But the spoofed > requests continuted at the same rate as before, so this does not > support > my theory. > > However, I believe it would be too much of a coincidence if there > isn't > some connection between the probing and the DOS attack. It would be > interesting to hear if others see similar probing. > > > > Bjørn >
