DOS attack assistance?
Max Larson Henry
maxlarson.henry at mtptc.gouv.ht
Wed Nov 26 13:53:16 UTC 2008
Hi,
Please look for proxad.fr <-- Free
Free is an ADSL provider based in France and proxad is a hosting
company (please give a look at the "dig -x" below)
dig -x 88.191.63.28
; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;28.63.191.88.in-addr.arpa. IN PTR
;; ANSWER SECTION:
28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr.
;; AUTHORITY SECTION:
63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr.
63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr.
;; Query time: 390 msec
;; SERVER: 200.80.96.100#53(200.80.96.100)
;; WHEN: Wed Nov 26 08:46:38 2008
;; MSG SIZE rcvd: 114
==========================
dig -x 88.191.63.28 +trace
; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 +trace
;; global options: printcmd
. 17574 IN NS d.root-servers.net.
. 17574 IN NS e.root-servers.net.
. 17574 IN NS f.root-servers.net.
. 17574 IN NS g.root-servers.net.
. 17574 IN NS h.root-servers.net.
. 17574 IN NS i.root-servers.net.
. 17574 IN NS j.root-servers.net.
. 17574 IN NS k.root-servers.net.
. 17574 IN NS l.root-servers.net.
. 17574 IN NS m.root-servers.net.
. 17574 IN NS a.root-servers.net.
. 17574 IN NS b.root-servers.net.
. 17574 IN NS c.root-servers.net.
;; Received 488 bytes from 200.80.96.100#53(200.80.96.100) in 31 ms
88.in-addr.arpa. 86400 IN NS ns.lacnic.net.
88.in-addr.arpa. 86400 IN NS ns3.nic.fr.
88.in-addr.arpa. 86400 IN NS sec1.apnic.net.
88.in-addr.arpa. 86400 IN NS sec3.apnic.net.
88.in-addr.arpa. 86400 IN NS sunic.sunet.se.
88.in-addr.arpa. 86400 IN NS ns-pri.ripe.net.
88.in-addr.arpa. 86400 IN NS tinnie.arin.net.
;; Received 218 bytes from 199.7.83.42#53(l.root-servers.net) in 78 ms
191.88.in-addr.arpa. 172800 IN NS ns.ripe.net.
191.88.in-addr.arpa. 172800 IN NS ns0.proxad.net.
191.88.in-addr.arpa. 172800 IN NS ns1.proxad.net.
;; Received 111 bytes from 193.0.0.195#53(ns-pri.ripe.net) in 187 ms
63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr.
63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr.
;; Received 123 bytes from 212.27.32.2#53(ns0.proxad.net) in 187 ms
28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr.
191.88.in-addr.arpa. 7200 IN NS dns1.dedibox.fr.
191.88.in-addr.arpa. 7200 IN NS dns2.dedibox.fr.
;; Received 146 bytes from 88.191.254.6#53(dns1.dedibox.fr) in 187 ms
-Max
2008/11/26 Pete Templin <petelists at templin.org>:
> One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps
> from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards
> don't seem to be doing a proper job of that, unfortunately. The attack is a
> solid 300% more pps than our aggregate traffic levels.
>
> It's coming in via 6461, but they don't appear to have any ability to
> backtrack it. Their only offer is to blackhole the destination until the
> attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has
> little if any information publicly visible.
>
> Any pointers on what to do next?
>
> Thanks,
>
> Pete
>
>
More information about the NANOG
mailing list