[165854] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

RE: d6991.com traffic

daemon@ATHENA.MIT.EDU (Meshier, Brent)
Mon Sep 23 13:15:29 2013

From: "Meshier, Brent" <bmeshier@amherst.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Mon, 23 Sep 2013 17:11:04 +0000
In-Reply-To: <CAP+vuLXX8UOE8NSB3ht5L-Rj-kfMhmHmXimojPv6qG=wD7449w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

Could be DNS packet tunneling to China, bad news.

https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-3=
4152


-----Original Message-----
From: Christopher Hunt [mailto:dharmachris@gmail.com]
Sent: Monday, September 23, 2013 11:55 AM
To: nanog@nanog.org
Subject: d6991.com traffic

Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
 75% of the traffic is for d6991.com.  Does anyone else see this?  Who are =
these folks (WEBNIC.CC)?

-chris

--- Please refer to http://www.amherst.com/amherst-email-disclaimer/ for im=
portant disclosures regarding this electronic communication.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[165854] in North American Network Operators' Group

RE: d6991.com traffic

daemon@ATHENA.MIT.EDU (Meshier, Brent)Mon Sep 23 13:15:29 2013

daemon@ATHENA.MIT.EDU (Meshier, Brent)
Mon Sep 23 13:15:29 2013