[Emerging-Sigs] Dns ddos

Brandon Kendall brandon.kendall at gmail.com
Wed Oct 26 09:55:50 EDT 2011


Actually, no. Sources were from the following networks:

208.180.89.0/24
60.0.0.0
61.0.0.0
62.0.0.0
63.0.0.0
64.0.0.0
65.0.0.0
66.0.0.0
67.0.0.0
68.0.0.0
69.0.0.0
70.0.0.0
71.0.0.0
72.0.0.0
74.0.0.0
79.129.32.0/24

Thanks!



On Wed, Oct 26, 2011 at 9:41 AM, Martin Holste <mcholste at gmail.com> wrote:

> Were the sources all in the same /16?  It's possible they were trying
> to flood someone else using the ICMP admin-prohibited bounces from the
> firewalls in orgs like yours.
>
> On Wed, Oct 26, 2011 at 8:12 AM, Brandon Kendall
> <brandon.kendall at gmail.com> wrote:
> > My company had a DDoS the other morning that seemed a little odd -
> packets
> > were UDP with both the source and destination port 53. The target IP
> wasn't
> > running DNS so the firewall blocked all of the attempts, but it still
> > managed to saturate a 500 mb internet link. Firewall logs show about
> 63,000
> > sources, in a fairly sequential order, leading us to believe they are
> > spoofed.
> >
> > Unfortunately I wasn't able to capture any of the packets.
> >
> > Has anyone else seen activity like this lately?
> >
> > Thanks!
> >
> > Sent from my Android device.
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> > Current!
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111026/7063948a/attachment.html


More information about the Emerging-sigs mailing list