[151964] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (Keegan Holley)
Fri Apr 6 13:49:06 2012
In-Reply-To: <8C26A4FDAE599041A13EB499117D3C287CA17C7F@EX-MB-1.corp.atlasnetworks.us>
From: Keegan Holley <keegan.holley@sungard.com>
Date: Fri, 6 Apr 2012 13:47:43 -0400
To: Nathan Eisenberg <nathan@atlasnetworks.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Have you tried contacting the owner of the IP? A DDOS attack from that
particular IP would be ironic.
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=72.20.23.24?showDetails=true&showARIN=false&ext=netref2
#
Staminus Communications STAMINUS-COMMUNICATIONS (NET-72-20-0-0-1) 72.20.0.0
- 72.20.63.255
DDOSWIZ.COM STAMINUS-COMMUNICATIONS (NET-72-20-23-0-1) 72.20.23.0 -
72.20.23.63
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
2012/4/6 Nathan Eisenberg <nathan@atlasnetworks.us>
> Anyone else seeing this sort of noise lately?
>
> 10:35:00.958556 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:00.961055 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:01.262461 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:01.350979 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:01.351001 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> port 53 unreachable, length 74
> 10:35:01.573166 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:01.573204 IP 66.171.180.48 > 72.20.23.19: ICMP 66.171.180.48 udp
> port 53 unreachable, length 74
> 10:35:01.730128 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:01.970730 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:02.121218 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:02.374853 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:02.374879 IP 66.171.180.48 > 72.20.23.19: ICMP 66.171.180.48 udp
> port 53 unreachable, length 74
> 10:35:02.493257 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:02.493270 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> port 53 unreachable, length 74
> 10:35:02.726303 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:02.863667 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:03.023693 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:03.251935 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:03.251964 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> port 53 unreachable, length 74
> 10:35:03.326562 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:03.630514 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
> 10:35:03.638327 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> ripe.net. (38)
>
> Note that the server involved does not run a DNS daemon, or listen on 53,
> or anything else that would attract attention.
>
>
>
>
