Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: DNS queries for "." SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS queries for "."
After half an hour of warm-up, I am not seeing any new spoofed addresses, and the total packets per second is less than half of what it was in late January. It is roughly 1 packet per second now whereas it was roughly 2.2 packets per second, regardless of how many targets there were.

The spoofed targets I am seeing are: 76.9.16.171 (one of the initial targets which began on Jan 17), 69.64.87.156 (a pharmacy spam site which began on Jan 29) and then 89.149.209.161 (which is the pharmacy spam site I saw that began today Feb 04 at 8:31 AM)
Andrew

41 Posts
I'm now also seeing 89.149.221.182
Andrew
6 Posts
Now seeing 195.68.176.4 as of 2/10/2009 21:47 UTC
Dshield

10 Posts
Quiet for a time, now seeing 82.146.35.143 firstvds.ru, since 11:59:37 Valentine's day
Anonymous
New spoofed sources as targets are firstvds.ru [82.146.35.143] back on Feb 14th and 15th, and invest-pool.ru [62.109.4.89] starting at 3:43 PM PST (1143 UDT).
Andrew

41 Posts
As of a month ago i have been seeing the spoofed queries to my dns. but i have different ips. Currently they are using 62.109.4.89, 195.68.176.4, 65.173.218.96. i have talked to 2 of the ip maintainers and both have revealed DDOS attacks on those ips.
Andrew
3 Posts
ah! the last ip seems to be this site! oh boy!
Andrew
3 Posts
scratch that, i did the query test from this site . im an idiot.
Andrew
3 Posts
Atacks continue from 62.109.4.89
Andrew
1 Posts
i am seeing these attacks again... "origin" is from networks belonging to mozilla and macrovision.
Anonymous
Yeah we are seeing them again. They had all but stopped for a few months and now we are seeing "client 204.123.28.55#41293: query(cache) 'a338.g.akamaitech.net/IN' denied". All of them say a338.g.akamaitech.net/IN' denied from many different addresses.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!