January 2009 DDoS

Sat Jan 24 01:12:12 PST 2009

Here's some information I gathered from my nameserver's logs.  This is what the ongoing DDoS
looks like from over here.


attack volume distribution by day and victim
--------------------------------------------

18867 Jan 16 69.50.137.175   69-50-137-175.nationalnet.com.
20955 Jan 16 69.50.142.11    nat1520.nationalnet.com.
  400 Jan 16 216.201.82.19   ns1.nationalnet.com.
  850 Jan 16 216.240.131.173 NXDOMAIN
76558 Jan 17 69.50.142.11    nat1520.nationalnet.com.
15279 Jan 18 69.50.142.11    nat1520.nationalnet.com.
 7681 Jan 18 69.50.142.110   TIMEOUT
39127 Jan 18 76.9.16.171     NXDOMAIN
  499 Jan 19 69.50.142.11    nat1520.nationalnet.com.
 7545 Jan 19 69.50.142.110   TIMEOUT
 7554 Jan 19 76.9.16.171     NXDOMAIN
72505 Jan 19 76.9.31.42      NXDOMAIN
30061 Jan 20 66.230.128.15   ns.isprime.com.
40497 Jan 20 66.230.160.1    ns2.isprime.com.
  265 Jan 20 69.50.142.11    nat1520.nationalnet.com.
  264 Jan 20 69.50.142.110   TIMEOUT
 6309 Jan 20 76.9.16.171     NXDOMAIN
    6 Jan 20 204.11.51.60    60.32-28.51.11.204.in-addr.arpa.
    6 Jan 20 208.37.177.62   208.37.177.62.ptr.us.xo.net.
    3 Jan 20 208.78.169.235  NXDOMAIN
    3 Jan 20 208.78.169.236  NXDOMAIN
28290 Jan 21 66.230.128.15   ns.isprime.com.
38679 Jan 21 66.230.160.1    ns2.isprime.com.
  909 Jan 21 76.9.16.171     NXDOMAIN
82194 Jan 23 63.217.28.226   63-217-28-226.static.pccwglobal.net.
  822 Jan 24 63.217.28.226   63-217-28-226.static.pccwglobal.net.


attack volume distribution by victim
------------------------------------

113556 nat1520.nationalnet.com.
 83016 63-217-28-226.static.pccwglobal.net.
 79176 ns2.isprime.com.
 72505 76.9.31.42
 58351 ns.isprime.com.
 53899 76.9.16.171
 18867 69-50-137-175.nationalnet.com.
 15490 69.50.142.110
   850 216.240.131.173
   400 ns1.nationalnet.com.
     6 60.32-28.51.11.204.in-addr.arpa.
     6 208.37.177.62.ptr.us.xo.net.
     3 208.78.169.235
     3 208.78.169.236

Notes:
  * My system saw the attacks begin Jan 16 09:57:12.
  * These IPs are (surely) spoofed, so I label them victims.
  * The attack is a Distributed Reflected DOS (DRDoS) attack, specifically a DNS amplification
    attack.  The exact protocol-level method is a query for the root's nameservers.
  * I only noticed the attack on the 21st and contacted ISPrime's NOC.  They were aware of the
    attack and were helpful and friendly.
  * Starting the afternoon of the 21st I temporarily blocked DNS access for the three actively
    "attacking" hosts: ns.isprime.com, ns2.isprime.com, and 76.9.16.171.  This was done via
    manual adjustment of firewall filter (so that any firewall or server reset would undo the
    changes if I forgot to undo them manually).  I reset the filter at roughly 2000-01-24
    09:10.  ISPrime's targetness primacy from this location is subject to high variability
    therefore.
  * The main targets appear to be hosting / access providers.
  * Perhaps specific websites or servers are being targetted.
  * The smaller volume targets could be for testing or pranking friends or foes.
  * I'm using tinydns which isn't answering the queries and so isn't participating in the
    amplification.
[ 2009-01-24 12:58:27 ] updated: additional notes