[165863] in North American Network Operators' Group
Re: d6991.com traffic
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Mon Sep 23 20:11:40 2013
Date: Mon, 23 Sep 2013 17:11:03 -0700
From: Paul Ferguson <fergdawgster@mykolab.com>
To: fire-eyes <sgtphou@fire-eyes.org>
In-Reply-To: <5240D654.1010402@fire-eyes.org>
Cc: nanog@nanog.org
Reply-To: fergdawgster@mykolab.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 9/23/2013 5:01 PM, fire-eyes wrote:
> It's DNS reflection attack noise:
>
> http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
>
> This is a good blog for observing the domains and frequent correlation
> of items in whois and other traits that indicate much of this is done by
> the same actors.
>
Thanks for the pointer. :-)
- ferg
> On 09/23/2013 12:55 PM, Christopher Hunt wrote:
>> Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
>> 75% of the traffic is for d6991.com. Does anyone else see this?
>> Who are
>> these folks (WEBNIC.CC)?
>>
>> -chris
>>
>
>
>
>
--
Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington USA
IID --> "Connect and Collaborate" --> www.internetidentity.com
