North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DOS attack assistance?
Hi, Please look for proxad.fr <-- Free Free is an ADSL provider based in France and proxad is a hosting company (please give a look at the "dig -x" below) dig -x 88.191.63.28 ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;28.63.191.88.in-addr.arpa. IN PTR ;; ANSWER SECTION: 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. ;; AUTHORITY SECTION: 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. ;; Query time: 390 msec ;; SERVER: 200.80.96.100#53(200.80.96.100) ;; WHEN: Wed Nov 26 08:46:38 2008 ;; MSG SIZE rcvd: 114 ========================== dig -x 88.191.63.28 +trace ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 +trace ;; global options: printcmd . 17574 IN NS d.root-servers.net. . 17574 IN NS e.root-servers.net. . 17574 IN NS f.root-servers.net. . 17574 IN NS g.root-servers.net. . 17574 IN NS h.root-servers.net. . 17574 IN NS i.root-servers.net. . 17574 IN NS j.root-servers.net. . 17574 IN NS k.root-servers.net. . 17574 IN NS l.root-servers.net. . 17574 IN NS m.root-servers.net. . 17574 IN NS a.root-servers.net. . 17574 IN NS b.root-servers.net. . 17574 IN NS c.root-servers.net. ;; Received 488 bytes from 200.80.96.100#53(200.80.96.100) in 31 ms 88.in-addr.arpa. 86400 IN NS ns.lacnic.net. 88.in-addr.arpa. 86400 IN NS ns3.nic.fr. 88.in-addr.arpa. 86400 IN NS sec1.apnic.net. 88.in-addr.arpa. 86400 IN NS sec3.apnic.net. 88.in-addr.arpa. 86400 IN NS sunic.sunet.se. 88.in-addr.arpa. 86400 IN NS ns-pri.ripe.net. 88.in-addr.arpa. 86400 IN NS tinnie.arin.net. ;; Received 218 bytes from 199.7.83.42#53(l.root-servers.net) in 78 ms 191.88.in-addr.arpa. 172800 IN NS ns.ripe.net. 191.88.in-addr.arpa. 172800 IN NS ns0.proxad.net. 191.88.in-addr.arpa. 172800 IN NS ns1.proxad.net. ;; Received 111 bytes from 193.0.0.195#53(ns-pri.ripe.net) in 187 ms 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. ;; Received 123 bytes from 212.27.32.2#53(ns0.proxad.net) in 187 ms 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns1.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns2.dedibox.fr. ;; Received 146 bytes from 88.191.254.6#53(dns1.dedibox.fr) in 187 ms -Max 2008/11/26 Pete Templin <[email protected]>: > One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps > from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards > don't seem to be doing a proper job of that, unfortunately. The attack is a > solid 300% more pps than our aggregate traffic levels. > > It's coming in via 6461, but they don't appear to have any ability to > backtrack it. Their only offer is to blackhole the destination until the > attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has > little if any information publicly visible. > > Any pointers on what to do next? > > Thanks, > > Pete > >
|