[151965] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (Michael Sinatra)
Fri Apr 6 13:52:26 2012
Date: Fri, 06 Apr 2012 10:51:50 -0700
From: Michael Sinatra <michael@rancid.berkeley.edu>
To: Keegan Holley <keegan.holley@sungard.com>
In-Reply-To: <CABO8Q6QrNbwe_Z-DV9xLVqF0gVBs1ntT=DtwDujSEZipoNSfkw@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/06/12 10:47, Keegan Holley wrote:
> Have you tried contacting the owner of the IP? A DDOS attack from that
> particular IP would be ironic.
>
> #
> # The following results may also be obtained via:
> #
> http://whois.arin.net/rest/nets;q=72.20.23.24?showDetails=true&showARIN=false&ext=netref2
> #
>
> Staminus Communications STAMINUS-COMMUNICATIONS (NET-72-20-0-0-1) 72.20.0.0
> - 72.20.63.255
> DDOSWIZ.COM STAMINUS-COMMUNICATIONS (NET-72-20-23-0-1) 72.20.23.0 -
> 72.20.23.63
If it's an attempt at a reflective DNS-based DDoS attack, then the
source IP address making the query is likely spoofed. The IP address in
question is really the target, not the source of the attack.
That is, of course, if this is a standard reflective DDoS attack.
michael
