Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DoS amp attack today

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DoS amp attack today


Chronological Thread 
    < Chronological >      < Thread >
  • From: Kenny Taylor <kennytaylor AT runbox.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DoS amp attack today
  • Date: Thu, 18 Apr 2013 14:36:50 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That"s a big ass TXT record. So whoever is doing it os sending a 85-byte
request with a spoofed source IP, then the DNS server sends a response of
around 4500 bytes to the victims on the 46.x.x.x net. I can't think of any
reason why a person would generate that response traffic to their own system.



Killman BOFH <killman AT dkcorp.ec> wrote:

>15:21:03.089680 dl.dkcorp.ec.domain > 46.165.192.95.10327: 44449 13/3/5
>TXT[|domain] (frag 55556:1480@0+)
>15:21:03.099403 46.165.192.131.58028 > dl.dkcorp.ec.domain: 44449+
>[1au]
>TXT? anticardsharing.net. (48)
>15:21:03.099605 dl.dkcorp.ec.domain > 46.165.192.131.58028: 44449
>13/3/5
>TXT[|domain] (frag 16855:1480@0+)
>15:21:03.102239 46.165.212.92.3584 > dl.dkcorp.ec.domain: 44449+ [1au]
>TXT?
>anticardsharing.net. (48)
>15:21:03.102433 dl.dkcorp.ec.domain > 46.165.212.92.3584: 44449 13/3/5
>TXT[|domain] (frag 24732:1480@0+)
>15:21:03.107693 46.165.212.12.1691 > dl.dkcorp.ec.domain: 44449+ [1au]
>TXT?
>anticardsharing.net. (48)
>15:21:03.107886 dl.dkcorp.ec.domain > 46.165.212.12.1691: 44449 13/3/5
>TXT[|domain] (frag 11278:1480@0+)
>
>
>
>*dkcorp.ec* <http://dkcorp.ec/> | *CEO*
>*Enterprise Networks*
>Blog: unixlegion.com
>GPG Key: *0xBBDC0CDE*
>Community: www.sle.ec <http://sle.ec>
>OpenNIC Project: opennic.sle.ec
>*IT Security - ISO 27000 - Packet Core*
>Phone: +593 995 956811 | +593 07 2952-763
>
>
>On Thu, Apr 18, 2013 at 3:18 PM, Jeff Taylor <shdwdrgn AT sourpuss.net>
>wrote:
>
>> Is that under Sid? What about squeeze backports?
>>
>>
>> On 04/17/2013 01:50 PM, Guillaume Parent wrote:
>> > I checked the Bind 9.8.4 (testing repo on debian) contains the rate
>> limiting patch. I will be compiling the bind9 testing package on a
>stable
>> base and testing it shortly, if the package seems to work fine I will
>make
>> it available.
>>
>>
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQJDBAEBCAAtBQJRcGdxJhxLZW5ueSBUYXlsb3IgPGtlbm55dGF5bG9yQHJ1bmJv
eC5jb20+AAoJELOordj4VKFQ/wQP/1WzFa54nCIkw2pTnFa7uv1ZCVEoUJ8CEUxF
PoswRwiZY7FlI0d9FokQTdsJJM93/xtwjBpP26qEyIMBuD4Uod3Hk0ircgRq1t5A
BI/JjqqpYNse7i6vuDW5Tul1vvHEkfeJciGlN4WrE18jSpn3j89cH8jgiSibaaZz
VPS984I2dB13jWNS2iyhntKRuS3GY2BpwpSxLW7ZFNR17H2qLi4AZsMt9+AEMwdM
aujwZhtlVKfDrFBCE10Psro9J5LtdNQoHFpSMvmL2fFoqbMue3AwUan09W/Rdw2D
cJ9qZEUaZbdJDOZRmHo29Q6u8jBmRS2ksjUAlh8yzsVhOWUeeLoE9ziDSXkJqrYx
GaXaFsZTNT8yu001ekchI3Sz9BES2q11iSlOCAE71ULFmb6RKZuJUnNgFAZtrXcv
qw7x5SLR63cIO9cUF8vVttBAUxzzJvpQ3/r1AK79UbzcWwEAykQaZYVAyQyYTDdy
e3Cr4WY6KJ3IDIHZmCDkASDy7t60XfWxvT2uRgOjDX/ZmUp9PXdVgC6N0E1eVSAb
t3VD97VI8r+3K+EqOJjFVlhlDTxwNMgdkkoERIUb+paYyM2kvIBshKyYBTAnvym9
ZShRhz7lDT6+XraI8kzSZZv8osx0iJxNs3N90ahDUcliLJyiEGfZKVmaT1YaYOUC
BGw02Fte
=sQXD
-----END PGP SIGNATURE-----


Archive powered by MHonArc 2.6.19.

Top of Page