DNS DDoS
Wil Schultz
wschultz at bsdboy.com
Wed Jan 28 19:49:51 UTC 2009
If anyone is interested, here's what things look like from here for
the past 3 days.
dns2:~ wschultz$ gzcat /var/log/named.log.01262009.gz |awk '/\.\/NS\/
IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
6 150.69.136.10
1387 76.9.16.171
2759 63.217.28.226
98680 206.71.158.30
dns2:~ wschultz$ gzcat /var/log/named.log.01272009.gz |awk '/\.\/NS\/
IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
6 150.69.136.10
1387 76.9.16.171
2753 63.217.28.226
5521 206.71.158.30
dns2:~ wschultz$ cat /var/log/named.log |awk '/\.\/NS\/IN.*denied/
{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
2 150.69.136.10
279 67.192.144.0
296 76.9.16.171
6519 64.57.246.123
17207 64.57.246.146
20646 70.86.80.98
-wil
On Jan 28, 2009, at 8:07 AM, Andrew Fried wrote:
> Targeted victims, beginning 28-Jan-2009, as seen from my DNS server.
> GeoIP data for top two sites also below:
>
> +----------------+-------------+------------+
> | host | count(host) | Percentage |
> +----------------+-------------+------------+
> | 202.104.106.49 | 51 | 0.1109 |
> | 210.21.218.138 | 51 | 0.1109 |
> | 64.57.246.123 | 3561 | 7.7421 |
> | 64.57.246.146 | 29530 | 64.2026 |
> | 67.192.144.0 | 991 | 2.1546 |
> | 70.86.80.98 | 11276 | 24.5157 |
> | 76.9.16.171 | 535 | 1.1632 |
> +----------------+-------------+------------+
>
> GeoIP Location Information for IP: 64.57.246.146
> Located in: Suwanee, GA (US)
> Latitude: 34.0535
> Longitude: -84.0659
> Area Code: 770
> Postal Code: 30024
>
> ARIN information for: 64.57.246.146
> DNS PTR Record:
> Registrar: arin
> ASN Number: AS20141
> Country: US
> Ip Starting Block: 64.57.240.0
> IP Ending Block: 64.57.255.255
> IP Block Size: 4096
> Date Registered: 20051012
> Block Status: allocated
>
> BGP Peering Information for ASN20141:
>
> PEER_AS | IP | BGP Prefix | CC | Registry |
> Allocated | AS Name
> 6983 | 64.57.246.146 | 64.57.240.0/20 | US | arin |
> 2005-10-12 | ITCDELTA - ITC^Deltacom
> 14745 | 64.57.246.146 | 64.57.240.0/20 | US | arin |
> 2005-10-12 | INTERNAP-BLOCK-4 - Internap Network Services Corporation
>
>
>
>
> GeoIP Location Information for IP: 70.86.80.98
> Located in: Houston, TX (US)
> Latitude: 29.7523
> Longitude: -95.3670
> Area Code: 713
> Postal Code: 77002
>
> ARIN information for: 70.86.80.98
> DNS PTR Record: 62.50.5646.static.theplanet.com.
> Registrar: arin
> ASN Number: AS21844
> Country: US
> Ip Starting Block: 70.84.0.0
> IP Ending Block: 70.87.255.255
> IP Block Size: 262144
> Date Registered: 20040729
> Block Status: allocated
>
> BGP Peering Information for ASN21844:
>
> PEER_AS | IP | BGP Prefix | CC | Registry |
> Allocated | AS Name
> 2914 | 70.86.80.98 | 70.84.0.0/14 | US | arin |
> 2004-07-29 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356 | 70.86.80.98 | 70.84.0.0/14 | US | arin |
> 2004-07-29 | LEVEL3 Level 3 Communications
> 3549 | 70.86.80.98 | 70.84.0.0/14 | US | arin |
> 2004-07-29 | GBLX Global Crossing Ltd.
> 4565 | 70.86.80.98 | 70.84.0.0/14 | US | arin |
> 2004-07-29 | MEGAPATH2-US - MegaPath Networks Inc.
> 6461 | 70.86.80.98 | 70.84.0.0/14 | US | arin |
> 2004-07-29 | MFNX MFN - Metromedia Fiber Network
>
> --
> Andrew Fried
> andrew.fried at gmail.com
>
>
More information about the NANOG
mailing list