On 9/23/2013 5:01 PM, fire-eyes wrote:
It's DNS reflection attack noise:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
This is a good blog for observing the domains and frequent correlation
of items in whois and other traits that indicate much of this is done by
the
It's DNS reflection attack noise:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
This is a good blog for observing the domains and frequent correlation
of items in whois and other traits that indicate much of this is done by
the same actors.
On 09/23/2013 12:55 PM,
Well,
There is a lot of those popping up in the past 6 months.
I'm still running bindguard 0.71 and caught about 1300 targets of
reflection DDoS in the past 24h.
Beside using ". IN ANY" a lot are using "isc.org IN ANY" and some
more that I won't list here =D
Which should be
Once upon a time, Chris Hunt said:
> That is a problem, but I'm seeing a lot of queries from residential
> users for what seems to me an obscure name hostied in Asia. I'm
> guessing some kind of bot traffic...
Any of the affected users have open resolvers (on DSL routers for
example)?
--
Chris
On Sep 23, 2013, at 1:25 PM, Chris Adams wrote:
> Once upon a time, Chris Hunt said:
>> That is a problem, but I'm seeing a lot of queries from residential
>> users for what seems to me an obscure name hostied in Asia. I'm
>> guessing some kind of bot traffic...
>
> Any of the affected users
That is a problem, but I'm seeing a lot of queries from residential
users for what seems to me an obscure name hostied in Asia. I'm
guessing some kind of bot traffic...
-chris
On 9/23/2013 10:09 AM, Paul Ferguson wrote:
> On 9/23/2013 9:55 AM, Christopher Hunt wrote:
>
>> Beginning about 0900UTC
On Sep 24, 2013, at 12:11 AM, Chris Hunt wrote:
> That is a problem, but I'm seeing a lot of queries from residential users for
> what seems to me an obscure name hostied in Asia. I'm
> guessing some kind of bot traffic...
They may be open recursors being leveraged for DNS reflection/amplifica
Could be DNS packet tunneling to China, bad news.
https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
-Original Message-
From: Christopher Hunt [mailto:dharmach...@gmail.com]
Sent: Monday, September 23, 2013 11:55 AM
To: nanog@nanog.org
Subject: d6991.com traf
On 9/23/2013 9:55 AM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
75% of the traffic is for d6991.com. Does anyone else see this? Who are
these folks (WEBNIC.CC)?
Maybe because of this mess?
;; Truncated, retrying in TCP mode.
; <<>
9 matches
Mail list logo
