[BlueOnyx:12788] Re: DNS attack profile

Dr. Blunt cleardata at earthlink.net
Tue Apr 9 08:36:53 -05 2013 

I had this on just ONE of my servers last night

  --------------------- iptables firewall Begin ------------------------
  Logged 54220 packets on interface eth0
    From 46.21.161.37 - 45 packets to tcp(22)
    From 50.30.35.41 - 90 packets to tcp(22)
    From 58.30.229.98 - 45 packets to tcp(22)
    From 58.225.75.228 - 45 packets to tcp(22)
    From 75.99.120.194 - 17978 packets to tcp(25)
    From 78.60.146.192 - 45 packets to tcp(22)
    From 93.115.175.105 - 17982 packets to tcp(25)
    From 114.80.125.211 - 17685 packets to tcp(25)
    From 115.238.101.39 - 45 packets to tcp(22)
    From 188.241.179.171 - 45 packets to tcp(22)
    From 202.136.60.142 - 45 packets to tcp(22)
    From 202.171.42.162 - 34 packets to tcp(25)
    From 203.114.114.181 - 1 packet to tcp(22)
    From 210.15.239.58 - 90 packets to tcp(25)
    From 222.73.219.164 - 45 packets to tcp(22)
  ---------------------- iptables firewall End -------------------------




At 11:57 PM 4/8/2013, you wrote:
>Some observations:
>
>Up until the recent flap over DNS attacks, I had observed that while the
>numbers of different bogus queries attempting to do amplification attacks
>were relatively small, and generally limited to a handful of 'target' IPs,
>and the same query was made continuously with the same source IPs for
>hours or days, clearly a focused attack at those targets.
>
>That's all changed around the beginning of the year.  Now, it's a
>monsterously huge number of source IPs from all over the map.  By
>contrast, most of these queries are not being attempted more than a
>handfull of times, then the source IP changes every few minutes, and
>apparently 'cycles' though a slowly repeating lists.
>
>Also, the queries, which often had varying domains such as isc.org, most
>named ones are now for "deniedstresser.com".  The vast majority are now
>just 'ANY'.
>
>Just a quick grep of source IPs doing 'ANY' attempts over the last 24
>hours shows 1157 *different* IPs hitting just one DNS server here.  Of
>course The total number of query *attempts* is way higher than that.
>
>The IPs are often not just commercial sites, but even DSL or cable
>addresses of apparent home users.  So it appears now, the goal may not be
>just a single target machine, but rather attempt to just flood and degrade
>entire networks.
>
>I'm curious about what others are seeing.
>
>=^_^=  Tigerwolf
>_______________________________________________
>Blueonyx mailing list
>Blueonyx at mail.blueonyx.it
>http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
>-----
>No virus found in this message.
>Checked by AVG - www.avg.com
>Version: 2012.0.2240 / Virus Database: 2641/5688 - Release Date: 03/19/13
>Internal Virus Database is out of date.

More information about the Blueonyx mailing list