nanog mailing list archives

RE: d6991.com traffic

From: "Meshier, Brent" <bmeshier () amherst com>
Date: Mon, 23 Sep 2013 17:11:04 +0000

Could be DNS packet tunneling to China, bad news.

https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

-----Original Message-----
From: Christopher Hunt [mailto:dharmachris () gmail com]
Sent: Monday, September 23, 2013 11:55 AM
To: nanog () nanog org
Subject: d6991.com traffic

Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
 75% of the traffic is for d6991.com.  Does anyone else see this?  Who are these folks (WEBNIC.CC)?

-chris

--- Please refer to http://www.amherst.com/amherst-email-disclaimer/ for important disclosures regarding this 
electronic communication.

Current thread:

d6991.com traffic Christopher Hunt (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)
  - Re: d6991.com traffic Chris Hunt (Sep 23)
    - Re: d6991.com traffic Dobbins, Roland (Sep 23)
    - Re: d6991.com traffic Chris Adams (Sep 23)
    - Re: d6991.com traffic Jared Mauch (Sep 23)
  - Re: d6991.com traffic Alain Hebert (Sep 23)
- RE: d6991.com traffic Meshier, Brent (Sep 23)
- Re: d6991.com traffic fire-eyes (Sep 23)
  - Re: d6991.com traffic Paul Ferguson (Sep 23)