[165862] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: d6991.com traffic

daemon@ATHENA.MIT.EDU (fire-eyes)
Mon Sep 23 20:01:43 2013

Date: Mon, 23 Sep 2013 20:01:24 -0400
From: fire-eyes <sgtphou@fire-eyes.org>
To: nanog@nanog.org
In-Reply-To: <CAP+vuLXX8UOE8NSB3ht5L-Rj-kfMhmHmXimojPv6qG=wD7449w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

It's DNS reflection attack noise:

http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html

This is a good blog for observing the domains and frequent correlation 
of items in whois and other traits that indicate much of this is done by 
the same actors.

On 09/23/2013 12:55 PM, Christopher Hunt wrote:
> Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
>   75% of the traffic is for d6991.com.  Does anyone else see this?  Who are
> these folks (WEBNIC.CC)?
>
> -chris
>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[165862] in North American Network Operators' Group

Re: d6991.com traffic

daemon@ATHENA.MIT.EDU (fire-eyes)Mon Sep 23 20:01:43 2013

daemon@ATHENA.MIT.EDU (fire-eyes)
Mon Sep 23 20:01:43 2013