Re: DOS attack assistance?

["Max Larson Henry" <maxlarson.henry () mtptc gouv ht>]

Hi,


Please look for proxad.fr <-- Free

Free is an ADSL provider based in France and proxad is a hosting
company (please give a look at the "dig -x" below)

dig -x 88.191.63.28

; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;28.63.191.88.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
28.63.191.88.in-addr.arpa. 86400 IN     PTR     sd-11899.dedibox.fr.

;; AUTHORITY SECTION:
63.191.88.in-addr.arpa. 86400   IN      NS      dns2.dedibox.fr.
63.191.88.in-addr.arpa. 86400   IN      NS      dns1.dedibox.fr.

;; Query time: 390 msec
;; SERVER: 200.80.96.100#53(200.80.96.100)
;; WHEN: Wed Nov 26 08:46:38 2008
;; MSG SIZE  rcvd: 114

==========================

dig -x 88.191.63.28 +trace

; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 +trace
;; global options:  printcmd
.                       17574   IN      NS      d.root-servers.net.
.                       17574   IN      NS      e.root-servers.net.
.                       17574   IN      NS      f.root-servers.net.
.                       17574   IN      NS      g.root-servers.net.
.                       17574   IN      NS      h.root-servers.net.
.                       17574   IN      NS      i.root-servers.net.
.                       17574   IN      NS      j.root-servers.net.
.                       17574   IN      NS      k.root-servers.net.
.                       17574   IN      NS      l.root-servers.net.
.                       17574   IN      NS      m.root-servers.net.
.                       17574   IN      NS      a.root-servers.net.
.                       17574   IN      NS      b.root-servers.net.
.                       17574   IN      NS      c.root-servers.net.
;; Received 488 bytes from 200.80.96.100#53(200.80.96.100) in 31 ms

88.in-addr.arpa.        86400   IN      NS      ns.lacnic.net.
88.in-addr.arpa.        86400   IN      NS      ns3.nic.fr.
88.in-addr.arpa.        86400   IN      NS      sec1.apnic.net.
88.in-addr.arpa.        86400   IN      NS      sec3.apnic.net.
88.in-addr.arpa.        86400   IN      NS      sunic.sunet.se.
88.in-addr.arpa.        86400   IN      NS      ns-pri.ripe.net.
88.in-addr.arpa.        86400   IN      NS      tinnie.arin.net.
;; Received 218 bytes from 199.7.83.42#53(l.root-servers.net) in 78 ms

191.88.in-addr.arpa.    172800  IN      NS      ns.ripe.net.
191.88.in-addr.arpa.    172800  IN      NS      ns0.proxad.net.
191.88.in-addr.arpa.    172800  IN      NS      ns1.proxad.net.
;; Received 111 bytes from 193.0.0.195#53(ns-pri.ripe.net) in 187 ms

63.191.88.in-addr.arpa. 86400   IN      NS      dns1.dedibox.fr.
63.191.88.in-addr.arpa. 86400   IN      NS      dns2.dedibox.fr.
;; Received 123 bytes from 212.27.32.2#53(ns0.proxad.net) in 187 ms

28.63.191.88.in-addr.arpa. 86400 IN     PTR     sd-11899.dedibox.fr.
191.88.in-addr.arpa.    7200    IN      NS      dns1.dedibox.fr.
191.88.in-addr.arpa.    7200    IN      NS      dns2.dedibox.fr.
;; Received 146 bytes from 88.191.254.6#53(dns1.dedibox.fr) in 187 ms

-Max



2008/11/26 Pete Templin <petelists () templin org>:
> One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps
> from 88.191.63.28.  I've null-routed the source, though our Engine2 GE cards
> don't seem to be doing a proper job of that, unfortunately.  The attack is a
> solid 300% more pps than our aggregate traffic levels.
>
> It's coming in via 6461, but they don't appear to have any ability to
> backtrack it.  Their only offer is to blackhole the destination until the
> attack subsides.  BGP tells me the source is in AS 12322, a RIPE AS that has
> little if any information publicly visible.
>
> Any pointers on what to do next?
>
> Thanks,
>
> Pete