[110924] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
RE: isprime DOS in progress

daemon@ATHENA.MIT.EDU (Steven Lisson)
Fri Jan 23 14:46:58 2009

Date: Sat, 24 Jan 2009 05:46:41 +1000
In-Reply-To: <90932AF0-4D17-4D1D-B8BD-ABC2DEF8A27E@isprime.com>
From: "Steven Lisson" <stevel@dedicatedservers.net.au>
To: "Phil Rosenthal" <pr@isprime.com>,
	<nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

Hi,

I agree with seeing no traffic to/from 66.230.128.15 but am still seeing =
flows 'from' 66.230.160.1

Regards,
Steve

-----Original Message-----
From: Phil Rosenthal [mailto:pr@isprime.com]=20
Sent: Saturday, 24 January 2009 4:12 AM
To: nanog@nanog.org
Subject: Re: isprime DOS in progress

Just a friendly notice, the attack against 66.230.128.15/66.230.160.1 =20
seems to have stopped for now.

-Phil
On Jan 22, 2009, at 6:01 AM, Bj=F8rn Mork wrote:

> Graeme Fowler <graeme@graemef.net> writes:
>
>> I've been seeing a lot of noise from the latter two addresses after
>> switching on query logging (and finishing an application of Team =20
>> Cymru's
>> excellent template) so I decided to DROP traffic from the addresses
>> (with source port !=3D 53) at the hosts in question.
>>
>> Well, blow me down if they didn't completely stop talking to me. Four
>> dropped packets each, and they've gone away.
>>
>> Something smells "not quite right" here - if the traffic is =20
>> spoofed, and
>> my "Refused" responses have been flying right back to the *real* IP
>> addresses, how are the spoofing hosts to know that I'm dropping the
>> traffic?
>
> Did you filter *only* 66.230.128.15/66.230.160.1, or are you dropping
> traffic from other sources too?  Looks like some of the other source
> addresses are controlled by the DOSers. Possibly used to detect =20
> filters?
>
> These clients may look similar to the DOS attack, but there are subtle
> differences:
>
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:33 canardo named[32046]: client 211.72.249.201#29656: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 05:08:34 canardo named[32046]: client 211.72.249.201#29656: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:00 canardo named[32046]: client 211.72.249.201#29662: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 05:47:01 canardo named[32046]: client 211.72.249.201#29662: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:22 canardo named[32046]: client 211.72.249.201#29664: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 06:25:23 canardo named[32046]: client 211.72.249.201#29664: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:41 canardo named[32046]: client 211.72.249.201#29667: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:03:42 canardo named[32046]: client 211.72.249.201#29667: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:08 canardo named[32046]: client 211.72.249.201#29670: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 07:42:09 canardo named[32046]: client 211.72.249.201#29670: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:29 canardo named[32046]: client 211.72.249.201#29673: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:20:30 canardo named[32046]: client 211.72.249.201#29673: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:50 canardo named[32046]: client 211.72.249.201#29678: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 08:58:51 canardo named[32046]: client 211.72.249.201#29678: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:12 canardo named[32046]: client 211.72.249.201#29679: =20
> view external: query (cache) './NS/IN' denied
> Jan 18 09:37:13 canardo named[32046]: client 211.72.249.201#29679: =20
> view external: query (cache) './NS/IN' denied
>
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 07:02:51 canardo named[32046]: client 213.61.92.192#46716: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 07:41:21 canardo named[32046]: client 213.61.92.192#46752: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:19:46 canardo named[32046]: client 213.61.92.192#46785: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 08:58:12 canardo named[32046]: client 213.61.92.192#46808: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 09:36:34 canardo named[32046]: client 213.61.92.192#46833: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: =20
> view external: query (cache) './NS/IN' denied
> Jan 20 10:14:58 canardo named[32046]: client 213.61.92.192#46858: =20
> view external: query (cache) './NS/IN' denied
>
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 06:27:28 canardo named[32046]: client 66.238.93.161#34373: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:05:55 canardo named[32046]: client 66.238.93.161#34420: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:20 canardo named[32046]: client 66.238.93.161#34473: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 07:44:21 canardo named[32046]: client 66.238.93.161#34473: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 08:22:38 canardo named[32046]: client 66.238.93.161#34503: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:00:56 canardo named[32046]: client 66.238.93.161#34540: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:20 canardo named[32046]: client 66.238.93.161#34574: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: =20
> view external: query (cache) './NS/IN' denied
> Jan 22 09:39:21 canardo named[32046]: client 66.238.93.161#34574: =20
> view external: query (cache) './NS/IN' denied
>
>
> Notice the pattern:
> 3 probes every 38 minutes
> Each probe from the same source port
> Source port increases slowly and steadily
>
> This looks like some application actually waiting for a response.  The
> slow source port change is probably an indication that this client =20
> only
> tests a small number of DNS servers.  I guess that this client is =20
> either
> one of the many bots used to send the spoofed requests, or maybe a bot
> not allowed to spoof its source and therefore used for other
> purposes. In any case, I assume that other DNS servers may see such
> control sessions coming from other addresses.
>
> These 3 clients started probing my DNS server almost simultaneously =20
> on January 8th:
>
>
> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:33:52 canardo named[26496]: client 213.61.92.192#31195: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:36:29 canardo named[26496]: client 66.238.93.161#11299: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:36:30 canardo named[26496]: client 66.238.93.161#11299: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: =20
> view external: query (cache) './NS/IN' denied
> Jan  8 19:37:47 canardo named[26496]: client 211.72.249.201#29112: =20
> view external: query (cache) './NS/IN' denied
>
> Maybe preparing for the attack on ISPrime?  I didn't start receiving
> spoofed requests from 66.230.128.15/66.230.160.1 before January 20th
>
>
> I just tried filtering the probing addresses.  This made the probing
> stop immediately after dropping a set of 3 probes.  But the spoofed
> requests continuted at the same rate as before, so this does not =20
> support
> my theory.
>
> However, I believe it would be too much of a coincidence if there =20
> isn't
> some connection between the probing and the DOS attack.  It would be
> interesting to hear if others see similar probing.
>
>
>
> Bj=F8rn
>

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[110924] in North American Network Operators' Group

RE: isprime DOS in progress

daemon@ATHENA.MIT.EDU (Steven Lisson)Fri Jan 23 14:46:58 2009

daemon@ATHENA.MIT.EDU (Steven Lisson)
Fri Jan 23 14:46:58 2009
