nanog mailing list archives

Re: d6991.com traffic

From: Paul Ferguson <fergdawgster () mykolab com>
Date: Mon, 23 Sep 2013 17:11:03 -0700

On 9/23/2013 5:01 PM, fire-eyes wrote:

It's DNS reflection attack noise:

http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html

This is a good blog for observing the domains and frequent correlation
of items in whois and other traits that indicate much of this is done by
the same actors.



Thanks for the pointer. :-)

- ferg

On 09/23/2013 12:55 PM, Christopher Hunt wrote:

Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
  75% of the traffic is for d6991.com.  Does anyone else see this?
Who are
these folks (WEBNIC.CC)?

-chris



--
Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington  USA
IID --> "Connect and Collaborate" --> www.internetidentity.com

Current thread:

d6991.com traffic Christopher Hunt (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)
  - Re: d6991.com traffic Chris Hunt (Sep 23)
    - Re: d6991.com traffic Dobbins, Roland (Sep 23)
    - Re: d6991.com traffic Chris Adams (Sep 23)
    - Re: d6991.com traffic Jared Mauch (Sep 23)
  - Re: d6991.com traffic Alain Hebert (Sep 23)
- RE: d6991.com traffic Meshier, Brent (Sep 23)
- Re: d6991.com traffic fire-eyes (Sep 23)
  - Re: d6991.com traffic Paul Ferguson (Sep 23)