nanog mailing list archives

Re: d6991.com traffic

From: fire-eyes <sgtphou () fire-eyes org>
Date: Mon, 23 Sep 2013 20:01:24 -0400

It's DNS reflection attack noise:

http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html

This is a good blog for observing the domains and frequent correlationof items in whois and other traits that indicate much of this is done bythe same actors.


On 09/23/2013 12:55 PM, Christopher Hunt wrote:

Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
  75% of the traffic is for d6991.com.  Does anyone else see this?  Who are
these folks (WEBNIC.CC)?

-chris

Current thread:

d6991.com traffic Christopher Hunt (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)
  - Re: d6991.com traffic Chris Hunt (Sep 23)
    - Re: d6991.com traffic Dobbins, Roland (Sep 23)
    - Re: d6991.com traffic Chris Adams (Sep 23)
    - Re: d6991.com traffic Jared Mauch (Sep 23)
  - Re: d6991.com traffic Alain Hebert (Sep 23)
- RE: d6991.com traffic Meshier, Brent (Sep 23)
- Re: d6991.com traffic fire-eyes (Sep 23)
  - Re: d6991.com traffic Paul Ferguson (Sep 23)