[uknof] reporting a big DNS DoS attack?
we were hit by a moderately large (100's of Mb/s) of DNS traffic, almost certainly a result of spoofed source. we extracted a list of the offenders - below. is it worth reporting these, or just shrug and hope it doesn't happen again? If the former, are there any sites where you can easily report hosts which are friendly to DNS amp attacks? 69 50.21.187.154 70 205.151.69.200 70 205.177.170.2 71 205.186.162.55 71 50.19.44.45 72 205.167.202.51 72 205.208.139.33 73 205.202.253.1 73 205.209.120.2 73 205.209.41.137 74 205.186.164.102 74 205.209.190.244 74 50.22.247.55 75 205.186.136.107 75 205.196.82.40 75 205.204.93.52 76 205.202.253.3 76 205.208.129.20 76 205.213.42.2 76 50.16.184.27 76 50.22.251.10 77 205.158.16.11 79 205.177.13.7 80 205.201.193.35 84 205.233.8.158 87 205.196.81.2 101 50.2.138.11 1364 91.98.97.18 1382 91.98.29.10 6309 50.23.81.69 7240 50.21.180.160 8395 173.161.81.201 10902 50.21.193.199 10934 50.21.193.243 11195 50.22.5.3 11764 50.21.193.229 23630 50.21.193.137 25693 91.98.140.187 51368 91.98.97.248 51747 91.98.97.245 52023 91.98.97.250 52061 91.98.97.243 52074 91.98.97.247 52180 50.21.181.169 53060 205.208.153.212 53098 50.22.156.186 53100 50.22.128.170 53193 50.22.232.250 53201 50.16.65.127 53215 50.22.251.34 53249 173.192.191.243 53250 173.193.28.100 53252 50.22.112.226 53254 50.22.57.98 53267 50.23.198.87 53281 173.193.160.139 53283 173.193.28.103 53285 50.23.124.178 53288 50.22.1.38 53294 50.23.215.242 53305 173.192.73.102 53314 173.193.8.114 53317 173.193.11.240 53323 173.192.198.19 53324 173.193.11.242
Re: [uknof] reporting a big DNS DoS attack?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/11/2013 13:59, Paul Mansfield wrote: > we extracted a list of the offenders - below. > > is it worth reporting these, or just shrug and hope it doesn't > happen again? If the former, are there any sites where you can > easily report hosts which are friendly to DNS amp attacks? Do you mind if I repost that data anonymously on another list? James - -- James Davis0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSiiCCAAoJEHRLPxE0xhCC7CkIALfy2PL90GfnlIJR4Ct0MeO8 ggwqLy/CztXFE3CxtasKZgFHk/LDuWxme16AE4OScUCiols8itQLWbMjbkyrNUoX 4Q7R61nYbaczk4A4AZaDht8F7m7MCgpUmDg9ypiLvwf6CHYk9FkWzPejOt7qVVmC 5+cHFdzBtCUCC41b1hj+lalO3IK8OWM29vKWyqAk32esgZWubj+bQY4ZoKRwQtIt H75OWNgYhxARjEsrLGmE7rafLDUxVbeDLZuAEa7cRULSOoh2zWXJKa63XHiqipwf j6l2Bm2gV2u+63WfH0BCirr4pEyMXcxctdNB9stAkHyXx0FW4dlUThoPrAr/M8U= =5GGy -END PGP SIGNATURE- Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Re: [uknof] reporting a big DNS DoS attack?
On 11/18/2013 08:59 AM, Paul Mansfield wrote: > we were hit by a moderately large (100's of Mb/s) of DNS traffic, > almost certainly a result of spoofed source. > > we extracted a list of the offenders - below. > > is it worth reporting these, or just shrug and hope it doesn't happen > again? If the former, are there any sites where you can easily report > hosts which are friendly to DNS amp attacks? If you have data which identifies hosts that are open to amplification attacks via UDP DNS queries (though I see a lot of Chargen port 19 these days too), then opensreolverproject.org and shadowserver.org would potentially be interested in this. Keith
