Wednesday, May 8, 2013

[NL] 192.162.137.62 - AS16265

General Information:


Attacked IP: 192.162.137.62
Country: Netherlands

Start: 2013-05-08 20:11:16
End: 2013-05-08 21:06:49
Duration: 55 minute(s)
Average query rate: 0.18 per minute

Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.

Requested DNS record: directedat.asia
Query count: 10

IPrange: 192.162.136.0/23
AS Number: Infinite Technologies
ISP: AS16265

IP has a reverse DNS value of: pioneer.ystc.co.il

This IP has been seen on the following days:

  • 08-May-2013 10x
  • 09-May-2013 4x

Observed 1 attack:
  • Attack 1 from 20:00 till 21:00
Details of the DNS Amplification attack:


Requested DNS record: directedat.asia
Query count: 9


Start: 2013-05-08 20:11:16
End: 2013-05-08 20:59:23
Duration: 48 minute(s)
Average query rate: 0.19 per minute

Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.

All request were made with the DNS id: 0xca0c

Average query size: 86 bytes
Average response size: 86 bytes

Amplification: 0%

Total query size: 774 bytes / 0 kilobytes
Response size: 774 bytes / 0 kilobytes
TotalBandwidth: 1548 bytes / 1 kilobytes

All observed queries were made with a TTL of: 245

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

The following 9 query UDP source port values were observed:

  • 51291 1x
  • 63636 1x
  • 56018 1x
  • 27393 1x
  • 57501 1x
  • 29907 1x
  • 14162 1x
  • 32780 1x
  • 34213 1x


>>Read Before Rage<<<

2 comments:

  1. It is from a BOT. They switched DNS nameservers and they now host 256 A records.

    dig @8.8.8.8 directedat.asia +short|wc -l
    256

    ReplyDelete
    Replies
    1. Hi Luke!
      Would you have more information on this bot? a sample perhaps.

      The following post describing what I've seen / know of this domain has been in my drafts for a few days already. Might be an interesting read.

      http://dnsamplificationattacks.blogspot.com/2013/05/domain-directedatasia.html

      Delete