DNS noise

PC paul4004 at gmail.com
Fri Apr 6 12:52:10 CDT 2012


It could be a DNS amplification attack, with the source IP forged.  They
may be hoping you "reply" to the forged source with a response greater than
the cost of them sending the query.

Of course you'd have to actually be running a poorly configured DNS server
on that IP for this to work...


On Fri, Apr 6, 2012 at 11:47 AM, Keegan Holley <keegan.holley at sungard.com>wrote:

> Have you tried contacting the owner of the IP?  A DDOS attack from that
> particular IP would be ironic.
>
> #
> # The following results may also be obtained via:
> #
>
> http://whois.arin.net/rest/nets;q=72.20.23.24?showDetails=true&showARIN=false&ext=netref2
> #
>
> Staminus Communications STAMINUS-COMMUNICATIONS (NET-72-20-0-0-1) 72.20.0.0
> - 72.20.63.255
> DDOSWIZ.COM STAMINUS-COMMUNICATIONS (NET-72-20-23-0-1) 72.20.23.0 -
> 72.20.23.63
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
>
> 2012/4/6 Nathan Eisenberg <nathan at atlasnetworks.us>
>
> > Anyone else seeing this sort of noise lately?
> >
> > 10:35:00.958556 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:00.961055 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:01.262461 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:01.350979 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:01.351001 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> > port 53 unreachable, length 74
> > 10:35:01.573166 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:01.573204 IP 66.171.180.48 > 72.20.23.19: ICMP 66.171.180.48 udp
> > port 53 unreachable, length 74
> > 10:35:01.730128 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:01.970730 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:02.121218 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:02.374853 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:02.374879 IP 66.171.180.48 > 72.20.23.19: ICMP 66.171.180.48 udp
> > port 53 unreachable, length 74
> > 10:35:02.493257 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:02.493270 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> > port 53 unreachable, length 74
> > 10:35:02.726303 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:02.863667 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:03.023693 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:03.251935 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:03.251964 IP 66.171.180.48 > 72.20.23.24: ICMP 66.171.180.48 udp
> > port 53 unreachable, length 74
> > 10:35:03.326562 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:03.630514 IP 72.20.23.24.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> > 10:35:03.638327 IP 72.20.23.19.53 > 66.171.180.48.53: 952+ [1au] ANY?
> > ripe.net. (38)
> >
> > Note that the server involved does not run a DNS daemon, or listen on 53,
> > or anything else that would attract attention.
> >
> >
> >
> >
>


More information about the NANOG mailing list