nanog mailing list archives

Re: DNS DDoS

From: Wil Schultz <wschultz () bsdboy com>
Date: Wed, 28 Jan 2009 11:49:51 -0800

If anyone is interested, here's what things look like from here forthe past 3 days.

dns2:~ wschultz$ gzcat /var/log/named.log.01262009.gz |awk '/\.\/NS\/IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n

  6 150.69.136.10
1387 76.9.16.171
2759 63.217.28.226
98680 206.71.158.30

dns2:~ wschultz$ gzcat /var/log/named.log.01272009.gz |awk '/\.\/NS\/IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n

  6 150.69.136.10
1387 76.9.16.171
2753 63.217.28.226
5521 206.71.158.30

dns2:~ wschultz$ cat /var/log/named.log |awk '/\.\/NS\/IN.*denied/{print $6}' |sed -e 's/#.*//g' |sort |uniq -c |sort -n

  2 150.69.136.10
279 67.192.144.0
296 76.9.16.171
6519 64.57.246.123
17207 64.57.246.146
20646 70.86.80.98

-wil

On Jan 28, 2009, at 8:07 AM, Andrew Fried wrote:

Targeted victims, beginning 28-Jan-2009, as seen from my DNS server.
GeoIP data for top two sites also below:

+----------------+-------------+------------+
| host           | count(host) | Percentage |
+----------------+-------------+------------+
| 202.104.106.49 |          51 |     0.1109 |
| 210.21.218.138 |          51 |     0.1109 |
| 64.57.246.123  |        3561 |     7.7421 |
| 64.57.246.146  |       29530 |    64.2026 |
| 67.192.144.0   |         991 |     2.1546 |
| 70.86.80.98    |       11276 |    24.5157 |
| 76.9.16.171    |         535 |     1.1632 |
+----------------+-------------+------------+

GeoIP Location Information for IP: 64.57.246.146
   Located in: Suwanee, GA (US)
   Latitude: 34.0535
   Longitude: -84.0659
   Area Code: 770
   Postal Code: 30024

ARIN information for: 64.57.246.146
   DNS PTR Record:
   Registrar:         arin
   ASN Number:        AS20141
   Country:           US
   Ip Starting Block: 64.57.240.0
   IP Ending Block:   64.57.255.255
   IP Block Size:     4096
   Date Registered:   20051012
   Block Status:      allocated

BGP Peering Information for ASN20141:

PEER_AS | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
6983    | 64.57.246.146    | 64.57.240.0/20      | US | arin     |
2005-10-12 | ITCDELTA - ITC^Deltacom
14745   | 64.57.246.146    | 64.57.240.0/20      | US | arin     |
2005-10-12 | INTERNAP-BLOCK-4 - Internap Network Services Corporation




GeoIP Location Information for IP: 70.86.80.98
   Located in: Houston, TX (US)
   Latitude: 29.7523
   Longitude: -95.3670
   Area Code: 713
   Postal Code: 77002

ARIN information for: 70.86.80.98
   DNS PTR Record:    62.50.5646.static.theplanet.com.
   Registrar:         arin
   ASN Number:        AS21844
   Country:           US
   Ip Starting Block: 70.84.0.0
   IP Ending Block:   70.87.255.255
   IP Block Size:     262144
   Date Registered:   20040729
   Block Status:      allocated

BGP Peering Information for ASN21844:

PEER_AS | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
2914    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
2004-07-29 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
2004-07-29 | LEVEL3 Level 3 Communications
3549    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
2004-07-29 | GBLX Global Crossing Ltd.
4565    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
2004-07-29 | MEGAPATH2-US - MegaPath Networks Inc.
6461    | 70.86.80.98      | 70.84.0.0/14        | US | arin     |
2004-07-29 | MFNX MFN - Metromedia Fiber Network

--
Andrew Fried
andrew.fried () gmail com

Current thread:

DNS DDoS Andrew Fried (Jan 28)
- Re: DNS DDoS Wil Schultz (Jan 28)