“There is no delight in owning anything unshared.”

Cyberattacks November 2012 Part II – Spoofed DNS Service Attack

Spoofed DNS traffic is an observation traffic from Black Lotus Communications’s IP with source port 53.This traffic indicates backscatter from an attack on Black Lotus’s customers.In other words, some of the IP addresses are being spoofed by the attacker for DNS reflection attack on TCP port 53 (DNS)

Black Lotus

Backscatter is a side-effect of a spoofed denial of service (DoS) attack where the attacker spoofs the source address in IP packets sent to the victim in order for the victim to responds to the spoofed packets where these response packets are known as backscatter. The backscatter response packets from the victim will be sent back to the spoofed destination.

Spoofed DNS
A DDoS mitigation services provider will need to validate the real source of the DNS reflection attack by responding to the spoofed packets.This explained the appearance of IP(s) from Black Lotus Communications with source port 53.

Block Black Lotus Communications IP(s):

  • 199.59.160.0 – 199.59.167.255
  • 208.64.120.0 – 208.64.127.255

Advisories
Configuring Unicast Reverse Path Forwarding (URPF) on network routers to prevent IP address spoofing.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s