DNS DDoS

Wil Schultz wschultz at bsdboy.com
Wed Jan 28 13:49:51 CST 2009


If anyone is interested, here's what things look like from here for  
the past 3 days.

dns2:~ wschultz$ gzcat /var/log/named.log.01262009.gz |awk '/\.\/NS\/ 
IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
   6 150.69.136.10
1387 76.9.16.171
2759 63.217.28.226
98680 206.71.158.30

dns2:~ wschultz$ gzcat /var/log/named.log.01272009.gz |awk '/\.\/NS\/ 
IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
   6 150.69.136.10
1387 76.9.16.171
2753 63.217.28.226
5521 206.71.158.30

dns2:~ wschultz$ cat /var/log/named.log |awk '/\.\/NS\/IN.*denied/ 
{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n
   2 150.69.136.10
279 67.192.144.0
296 76.9.16.171
6519 64.57.246.123
17207 64.57.246.146
20646 70.86.80.98

-wil

On Jan 28, 2009, at 8:07 AM, Andrew Fried wrote:

> Targeted victims, beginning 28-Jan-2009, as seen from my DNS server.
> GeoIP data for top two sites also below:
>
> +----------------+-------------+------------+
> | host           | count(host) | Percentage |
> +----------------+-------------+------------+
> | 202.104.106.49 |          51 |     0.1109 |
> | 210.21.218.138 |          51 |     0.1109 |
> | 64.57.246.123  |        3561 |     7.7421 |
> | 64.57.246.146  |       29530 |    64.2026 |
> | 67.192.144.0   |         991 |     2.1546 |
> | 70.86.80.98    |       11276 |    24.5157 |
> | 76.9.16.171    |         535 |     1.1632 |
> +----------------+-------------+------------+
>
> GeoIP Location Information for IP: 64.57.246.146
>    Located in: Suwanee, GA (US)
>    Latitude: 34.0535
>    Longitude: -84.0659
>    Area Code: 770
>    Postal Code: 30024
>
> ARIN information for: 64.57.246.146
>    DNS PTR Record:
>    Registrar:         arin
>    ASN Number:        AS20141
>    Country:           US
>    Ip Starting Block: 64.57.240.0
>    IP Ending Block:   64.57.255.255
>    IP Block Size:     4096
>    Date Registered:   20051012
>    Block Status:      allocated
>
> BGP Peering Information for ASN20141:
>
> PEER_AS | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
> 6983    | 64.57.246.146    | 64.57.240.0/20      | US | arin     |
> 2005-10-12 | ITCDELTA - ITC^Deltacom
> 14745   | 64.57.246.146    | 64.57.240.0/20      | US | arin     |
> 2005-10-12 | INTERNAP-BLOCK-4 - Internap Network Services Corporation
>
>
>
>
> GeoIP Location Information for IP: 70.86.80.98
>    Located in: Houston, TX (US)
>    Latitude: 29.7523
>    Longitude: -95.3670
>    Area Code: 713
>    Postal Code: 77002
>
> ARIN information for: 70.86.80.98
>    DNS PTR Record:    62.50.5646.static.theplanet.com.
>    Registrar:         arin
>    ASN Number:        AS21844
>    Country:           US
>    Ip Starting Block: 70.84.0.0
>    IP Ending Block:   70.87.255.255
>    IP Block Size:     262144
>    Date Registered:   20040729
>    Block Status:      allocated
>
> BGP Peering Information for ASN21844:
>
> PEER_AS | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
> 2914    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
> 2004-07-29 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
> 2004-07-29 | LEVEL3 Level 3 Communications
> 3549    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
> 2004-07-29 | GBLX Global Crossing Ltd.
> 4565    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
> 2004-07-29 | MEGAPATH2-US - MegaPath Networks Inc.
> 6461    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
> 2004-07-29 | MFNX MFN - Metromedia Fiber Network
>
> -- 
> Andrew Fried
> andrew.fried at gmail.com
>
>





More information about the NANOG mailing list