Hi, Please look for proxad.fr <-- Free Free is an ADSL provider based in France and proxad is a hosting company (please give a look at the "dig -x" below) dig -x 88.191.63.28 ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;28.63.191.88.in-addr.arpa. IN PTR ;; ANSWER SECTION: 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. ;; AUTHORITY SECTION: 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. ;; Query time: 390 msec ;; SERVER: 200.80.96.100#53(200.80.96.100) ;; WHEN: Wed Nov 26 08:46:38 2008 ;; MSG SIZE rcvd: 114 ========================== dig -x 88.191.63.28 +trace ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 +trace ;; global options: printcmd . 17574 IN NS d.root-servers.net. . 17574 IN NS e.root-servers.net. . 17574 IN NS f.root-servers.net. . 17574 IN NS g.root-servers.net. . 17574 IN NS h.root-servers.net. . 17574 IN NS i.root-servers.net. . 17574 IN NS j.root-servers.net. . 17574 IN NS k.root-servers.net. . 17574 IN NS l.root-servers.net. . 17574 IN NS m.root-servers.net. . 17574 IN NS a.root-servers.net. . 17574 IN NS b.root-servers.net. . 17574 IN NS c.root-servers.net. ;; Received 488 bytes from 200.80.96.100#53(200.80.96.100) in 31 ms 88.in-addr.arpa. 86400 IN NS ns.lacnic.net. 88.in-addr.arpa. 86400 IN NS ns3.nic.fr. 88.in-addr.arpa. 86400 IN NS sec1.apnic.net. 88.in-addr.arpa. 86400 IN NS sec3.apnic.net. 88.in-addr.arpa. 86400 IN NS sunic.sunet.se. 88.in-addr.arpa. 86400 IN NS ns-pri.ripe.net. 88.in-addr.arpa. 86400 IN NS tinnie.arin.net. ;; Received 218 bytes from 199.7.83.42#53(l.root-servers.net) in 78 ms 191.88.in-addr.arpa. 172800 IN NS ns.ripe.net. 191.88.in-addr.arpa. 172800 IN NS ns0.proxad.net. 191.88.in-addr.arpa. 172800 IN NS ns1.proxad.net. ;; Received 111 bytes from 193.0.0.195#53(ns-pri.ripe.net) in 187 ms 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. ;; Received 123 bytes from 212.27.32.2#53(ns0.proxad.net) in 187 ms 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns1.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns2.dedibox.fr. ;; Received 146 bytes from 88.191.254.6#53(dns1.dedibox.fr) in 187 ms -Max 2008/11/26 Pete Templin <petelists@templin.org>:
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
Any pointers on what to do next?
Thanks,
Pete