On Sun, 8 May 2005, Rodney Joffe wrote: I will check whether our telescope is missing tcp/53 pkts. -Hank
> > > > >> At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote: > > > > I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May > > 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, > > netsol.com or AS6245. > > > > -Hank > > > > > > > >> worldnic.com. 86400 IN NS ns1.netsol.com. > >> worldnic.com. 86400 IN NS ns2.netsol.com. > >> worldnic.com. 86400 IN NS ns3.netsol.com. > >> > >> ;; ADDITIONAL SECTION: > >> ns1.netsol.com. 86400 IN A 216.168.229.228 > >> ns2.netsol.com. 86400 IN A 216.168.229.229 > >> ns3.netsol.com. 86400 IN A 216.168.229.229 > > I believe the issues (reported on NANOG specifically) related to > ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be > mostly related to 216.168.225.0/24 with some smatterings in > 216.168.228.0/24. Some examination during the event, and since then, would > indicate that traceroutes to these /24s result in endpoints that are in the > same location, apparently in the DC area. Anycast would not seem to be > involved. > > It further seems that these nameservers are used primarily by customers of > their bundled with a domain name dns offering, with minimal cost. There are > in excess of 300,000 domains that point to ns*.worldnic.net as being > authoritative, that I have been able to identify so far. It seems that a > large number of domain name registrants might have been affected, although > many were unaware. > > And I assume that it is obvious that this is all "Network Solutions", the > Registrar Business, as distinct from the now completely unrelated company, > Verisign, the Registry Operator. > > Rodney Joffe > CenterGate Research Group, LLC > http://www.centergate.com > "Technology so advanced, even WE don't understand it"(R)