This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] DNS DoS attacks by 91.235.143.158 and 69.162.110.100
- Previous message (by thread): [anti-abuse-wg] CleanIT: Unanswered question from chat
- Next message (by thread): [anti-abuse-wg] DNS DoS attacks by 91.235.143.158 and 69.162.110.100
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
U.Mutlu
security at mutluit.com
Sat Sep 29 11:26:23 CEST 2012
For several weeks now our DNS server gets attacked by the following 2 systems. It's a DoS attack. We have DNS recursion disabled, but these systems countlessly send recursion queries. We now are blocking them at the firewall level: pkts bytes target prot opt in out source destination 1845K 118M DROP all -- * * 91.235.143.158 0.0.0.0/0 1518K 100M DROP all -- * * 69.162.110.100 0.0.0.0/0 We have sent the first one 4 Abuse Reports, and the seconds one 10 (!) ARs, and also had email contact to both their admins/abuse team. But nothing changes. Their cheap excuse is by saying that our DNS server is allegedly an open resolver (this is total BS! it's untrue), and the attack would be a so called "reflected UDP DNS attack" carried out by someone else using forged IP headers (IMO again cheap BS excuse as nowadays every ISP uses egress/ingress filtering to block such SenderIP-forgeries). My suspicion is that these companies are maybe specialized (and get paid for) to carry out such DNS attacks to bring down the network infrastructure of target systems. It seems they try to poison our DNS cache. This of course would affect our whole infrastructure. The IPs belong to these domains/companies: 91.235.143.158 (Ukraine --> RIPE): belongs to the operators of www.irishindependentescorts.com , a porno site operated/administered by a David Walsh <david at irishindependentescorts.com> and davidwalsheire at gmail.com, AbuseAdress: support at v-sys.org 69.162.110.100 (US --> ARIN): www.limestonenetworks.com, an ISP, AbuseAdress: abuseteam at limestonenetworks.com and abuse at lstn.net This ISP seems to be well known for doing nothing against such attacks either carried out by its own staff or by its clients as can be seen in the postings of admins of other attacked systems: http://www.webhostingstuff.com/review/LimestoneNetworks.html http://www.webhostingtalk.com/showthread.php?t=1159070 http://www.webhostingtalk.com/showthread.php?t=1183580 Anybody else get attacked by the above systems? What else can be done in such a case? Is this a case for CERT's ? Anybody have experience with CERT's and can give tips? The attacks look like the following excerpts from the DNS log (before blocking them in the firewall): # Log evidence: # # AR BC=BC48b Logfile=/var/log/named/named_misc.log GenTime=20120925-095445 ToAbuseEMA: support at v-sys.org # AttackerIP=91.235.143.158 Hostname(rDNS)= IPfromHN(DNS)= # cAT=14869 cAS=7 cAR=4 CC=UA RIR=RIPE ASN=AS6849 JSC UKRTELECOM, # AttackedServerIP(s)=82.211.8.197 84.200.248.120 84.201.4.43 84.200.248.111 84.200.20.194 84.200.43.148 # LogExcerpt (timezone: UTC+02 = GMT+02, syncd via NTP): 2012-09-22 16:06:52.905 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-22 16:06:52.934 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-22 16:06:52.956 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-25 09:46:08.661 security: info: client 91.235.143.158#8775: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.663 security: info: client 91.235.143.158#52882: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.754 security: info: client 91.235.143.158#31714: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.794 security: info: client 91.235.143.158#7089: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.827 security: info: client 91.235.143.158#7064: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.833 security: info: client 91.235.143.158#16716: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.868 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied # Log evidence: # # AR BC=BC48b Logfile=/var/log/named/named_misc.log GenTime=20120923-022150 ToAbuseEMA: abuse at limestonenetworks.com # AttackerIP=69.162.110.100 Hostname(rDNS)=100-110-162-69.static.reverse.lstn.net # cAT=2324432 cAS=300 cAR=10 CC=US RIR=ARIN ASN=AS46475 Limestone Networks, Inc. # AttackedServerIP(s)=82.211.8.197 84.200.248.120 84.201.4.43 84.200.248.111 84.200.20.194 84.200.43.148 # LogExcerpt (timezone: UTC+02 = GMT+02, syncd via NTP): 2012-09-22 16:25:36.969 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:36.969 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied
- Previous message (by thread): [anti-abuse-wg] CleanIT: Unanswered question from chat
- Next message (by thread): [anti-abuse-wg] DNS DoS attacks by 91.235.143.158 and 69.162.110.100
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]