anycast and ddos

Hank Nussbacher hank at mail.iucc.ac.il
Sun May 8 19:55:51 UTC 2005


On Sun, 8 May 2005, Rodney Joffe wrote:

I will check whether our telescope is missing tcp/53 pkts.  -Hank

>
> >
> >> At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
> >
> > I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May
> > 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com,
> > netsol.com or AS6245.
> >
> > -Hank
> >
> >
> >
> >> worldnic.com.           86400   IN      NS      ns1.netsol.com.
> >> worldnic.com.           86400   IN      NS      ns2.netsol.com.
> >> worldnic.com.           86400   IN      NS      ns3.netsol.com.
> >>
> >> ;; ADDITIONAL SECTION:
> >> ns1.netsol.com.         86400   IN      A       216.168.229.228
> >> ns2.netsol.com.         86400   IN      A       216.168.229.229
> >> ns3.netsol.com.         86400   IN      A       216.168.229.229
>
> I believe the issues (reported on NANOG specifically) related to
> ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be
> mostly related to 216.168.225.0/24 with some smatterings in
> 216.168.228.0/24. Some examination during the event, and since then, would
> indicate that traceroutes to these /24s result in endpoints that are in the
> same location, apparently in the DC area. Anycast would not seem to be
> involved.
>
> It further seems that these nameservers are used primarily by customers of
> their bundled with a domain name dns offering, with minimal cost. There are
> in excess of 300,000 domains that point to ns*.worldnic.net as being
> authoritative, that I have been able to identify so far. It seems that a
> large number of domain name registrants might have been affected, although
> many were unaware.
>
> And I assume that it is obvious that this is all "Network Solutions", the
> Registrar Business, as distinct from the now completely unrelated company,
> Verisign, the Registry Operator.
>
> Rodney Joffe
> CenterGate Research Group, LLC
> http://www.centergate.com
> "Technology so advanced, even WE don't understand it"(R)



More information about the NANOG mailing list