Home page logo
/

nanog logo nanog mailing list archives

Re: isprime DOS in progress
From: Andrew Fried <andrew.fried () gmail com>
Date: Sun, 25 Jan 2009 00:54:07 -0500

I extracted all logs from one of my dns servers that reflected an
"'./NS/IN' denied" message, pumped them into a database and ran a few
queries.

The first query shows the number of "denied" messages on my dns server,
sorted by date.  The amount of traffic definitely picked up on January 21st:

+-------------+-------------+
| date        | count(date) |
+-------------+-------------+
| 03-Jan-2009 |          20 |
| 04-Jan-2009 |         173 |
| 05-Jan-2009 |         407 |
| 06-Jan-2009 |        6429 |
| 07-Jan-2009 |        6391 |
| 08-Jan-2009 |        1421 |
| 09-Jan-2009 |         398 |
| 10-Jan-2009 |         402 |
| 11-Jan-2009 |         257 |
| 12-Jan-2009 |         174 |
| 13-Jan-2009 |         168 |
| 14-Jan-2009 |         451 |
| 15-Jan-2009 |         959 |
| 16-Jan-2009 |       31410 |
| 17-Jan-2009 |       79418 |
| 18-Jan-2009 |       64788 |
| 19-Jan-2009 |       90391 |
| 20-Jan-2009 |       71683 |
| 21-Jan-2009 |      104413 |
| 22-Jan-2009 |      104344 |
| 23-Jan-2009 |      105686 |
| 24-Jan-2009 |      105853 |
| 25-Jan-2009 |        1757 |
+-------------+-------------+

This report shows the number of queries grouped by host IP:

+-----------------+-------------+
| host            | count(host) |
+-----------------+-------------+
| 10.168.69.6     |        1059 |
| 123.127.121.245 |         528 |
| 202.106.83.125  |         530 |
| 203.121.29.11   |         426 |
| 203.121.29.12   |         402 |
| 206.71.158.30   |       45047 |
| 209.123.8.64    |         361 |
| 209.123.8.99    |         617 |
| 211.72.249.201  |         786 |
| 211.95.81.245   |         530 |
| 213.61.92.192   |         863 |
| 216.201.82.19   |        4548 |
| 216.201.83.2    |        3411 |
| 216.240.131.173 |        1081 |
| 219.142.91.125  |         530 |
| 220.181.168.251 |         451 |
| 58.26.5.43      |         426 |
| 58.26.5.44      |         367 |
| 60.247.99.245   |         530 |
| 61.129.61.245   |           5 |
| 63.217.28.226   |      130907 |
| 66.230.128.15   |      123551 |
| 66.230.160.1    |      176558 |
| 66.238.93.161   |         789 |
| 69.31.52.214    |          15 |
| 69.50.137.175   |       22068 |
| 69.50.142.11    |      114048 |
| 69.50.142.110   |       15483 |
| 74.86.34.144    |        1188 |
| 76.9.16.171     |       57275 |
| 76.9.31.42      |       72669 |
| 91.199.112.18   |         344 |
+-----------------+-------------+

And finally, I looked at all log entries reflecting the host ip
'206.71.158.30'.  The first time my dns server logged that IP address
was on January 24th:

+-------------+-------------+
| date        | count(date) |
+-------------+-------------+
| 24-Jan-2009 |       43441 |
| 25-Jan-2009 |        1606 |
+-------------+-------------+

Finally, when I focused strictly on logs from January 24th, 5 hosts came up:

+---------------+-------------+
| host          | count(host) |
+---------------+-------------+
| 10.168.69.6   |          51 |
| 206.71.158.30 |       43441 |
| 63.217.28.226 |       57955 |
| 66.230.160.1  |        4014 |
| 76.9.16.171   |         392 |
+---------------+-------------+

A tail end of the logs related to 206.71.158.30 indicate queries
originating, on average, about one second apart:

| 25-Jan-2009 | 00:22:58.644 | 206.71.158.30 |
| 25-Jan-2009 | 00:22:59.056 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.565 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.643 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.949 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:02.640 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.330 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.639 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:05.283 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.646 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.792 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:07.176 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:08.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.556 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:11.509 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:12.652 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.018 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.402 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:14.656 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.783 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:17.736 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:18.666 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.245 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.629 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:20.662 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:22.658 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.010 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.963 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:24.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.472 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.856 | 206.71.158.30 |
+-------------+--------------+---------------+

Andrew



Brian Keefer wrote:


On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:

Looks to me like the target has moved, anyone else seeing similar?

It's switched again.  The new target is 206.71.158.30 .

Over night it cycled through several different IPs (testing the
waters?), and finally started on this one around 10:26 Pacific time
this morning.

Timeline below.

-- 
bk

Jan 23 23:24:47 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep named[32762]: client 208.78.169.236#33027:
view ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep last message repeated 2 times
Jan 24 00:51:11 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:11 imhotep last message repeated 2 times
Jan 24 00:51:30 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 00:51:30 imhotep last message repeated 2 times
Jan 24 01:54:44 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 01:54:44 imhotep last message repeated 2 times
Jan 24 01:55:44 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 01:55:44 imhotep last message repeated 2 times
Jan 24 01:57:46 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 01:57:46 imhotep last message repeated 2 times
Jan 24 02:58:29 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 02:58:30 imhotep last message repeated 2 times
Jan 24 03:00:34 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 03:00:35 imhotep last message repeated 2 times
Jan 24 03:05:05 imhotep named[32762]: client 208.78.169.236#33027:
view ext: query (cache) './NS/IN' denied
Jan 24 03:05:05 imhotep last message repeated 2 times
Jan 24 03:07:49 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 04:02:38 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 04:02:38 imhotep last message repeated 2 times
Jan 24 04:05:43 imhotep named[32762]: client 204.11.51.59#32802: view
ext: query (cache) './NS/IN' denied
Jan 24 04:05:43 imhotep last message repeated 2 times
Jan 24 04:12:52 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 04:12:52 imhotep last message repeated 2 times
Jan 24 05:07:37 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 05:07:37 imhotep last message repeated 2 times
Jan 24 05:11:35 imhotep named[32762]: client 204.11.51.59#32802: view
ext: query (cache) './NS/IN' denied
Jan 24 05:11:35 imhotep last message repeated 2 times
Jan 24 05:21:36 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 05:21:37 imhotep last message repeated 2 times
Jan 24 06:16:06 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 06:16:06 imhotep last message repeated 2 times
Jan 24 06:20:19 imhotep named[32762]: client 204.11.51.61#43329: view
ext: query (cache) './NS/IN' denied
Jan 24 06:20:19 imhotep last message repeated 2 times
Jan 24 06:29:37 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 06:29:37 imhotep last message repeated 2 times
Jan 24 06:35:11 imhotep named[32762]: client 149.20.52.161#61452: view
ext: notify question section contains no SOA
Jan 24 07:23:06 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 07:23:06 imhotep last message repeated 2 times
Jan 24 07:28:27 imhotep named[32762]: client 204.11.51.60#32831: view
ext: query (cache) './NS/IN' denied
Jan 24 07:28:27 imhotep last message repeated 2 times
Jan 24 07:40:25 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 07:40:25 imhotep last message repeated 2 times
Jan 24 08:29:57 imhotep named[32762]: client 208.37.177.61#42517: view
ext: query (cache) './NS/IN' denied
Jan 24 08:29:57 imhotep last message repeated 2 times
Jan 24 08:36:10 imhotep named[32762]: client 204.11.51.61#43330: view
ext: query (cache) './NS/IN' denied
Jan 24 08:36:11 imhotep last message repeated 2 times
Jan 24 08:52:45 imhotep named[32762]: client 208.78.169.235#46265:
view ext: query (cache) './NS/IN' denied
Jan 24 08:52:45 imhotep last message repeated 2 times
Jan 24 08:55:54 imhotep named[32762]: client 149.20.58.131#59151: view
ext: query (cache) 'localhost/A/IN' denied
Jan 24 09:36:38 imhotep named[32762]: client 208.37.177.62#46265: view
ext: query (cache) './NS/IN' denied
Jan 24 09:36:38 imhotep last message repeated 2 times
Jan 24 09:43:53 imhotep named[32762]: client 204.11.51.61#43330: view
ext: query (cache) './NS/IN' denied
Jan 24 09:43:54 imhotep last message repeated 2 times
Jan 24 09:53:56 imhotep named[32762]: client 63.217.28.226#53: view
ext: query (cache) './NS/IN' denied
Jan 24 10:05:28 imhotep named[32762]: client 208.78.169.234#42517:
view ext: query (cache) './NS/IN' denied
Jan 24 10:05:28 imhotep last message repeated 2 times
Jan 24 10:26:09 imhotep named[32762]: client 206.71.158.30#18971: view
ext: query (cache) './NS/IN' denied
Jan 24 10:26:11 imhotep named[32762]: client 206.71.158.30#47622: view
ext: query (cache) './NS/IN' denied
Jan 24 10:26:13 imhotep named[32762]: client 206.71.158.30#16077: view
ext: query (cache) './NS/IN' denied




-- 
Andrew Fried
andrew.fried () gmail com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault