nanog mailing list archives
Re: d6991.com traffic
From: Paul Ferguson <fergdawgster () mykolab com>
Date: Mon, 23 Sep 2013 17:11:03 -0700
On 9/23/2013 5:01 PM, fire-eyes wrote:
It's DNS reflection attack noise: http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html This is a good blog for observing the domains and frequent correlation of items in whois and other traits that indicate much of this is done by the same actors.
Thanks for the pointer. :-) - ferg
On 09/23/2013 12:55 PM, Christopher Hunt wrote:Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)? -chris
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
Current thread:
- d6991.com traffic Christopher Hunt (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)
- Re: d6991.com traffic Chris Hunt (Sep 23)
- Re: d6991.com traffic Dobbins, Roland (Sep 23)
- Re: d6991.com traffic Chris Adams (Sep 23)
- Re: d6991.com traffic Jared Mauch (Sep 23)
- Re: d6991.com traffic Chris Hunt (Sep 23)
- Re: d6991.com traffic Alain Hebert (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)
- RE: d6991.com traffic Meshier, Brent (Sep 23)
- Re: d6991.com traffic fire-eyes (Sep 23)
- Re: d6991.com traffic Paul Ferguson (Sep 23)