On Sun, 8 May 2005, Rodney Joffe wrote: I will check whether our telescope is missing tcp/53 pkts. -Hank
At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com, netsol.com or AS6245.
-Hank
worldnic.com. 86400 IN NS ns1.netsol.com. worldnic.com. 86400 IN NS ns2.netsol.com. worldnic.com. 86400 IN NS ns3.netsol.com.
;; ADDITIONAL SECTION: ns1.netsol.com. 86400 IN A 216.168.229.228 ns2.netsol.com. 86400 IN A 216.168.229.229 ns3.netsol.com. 86400 IN A 216.168.229.229
I believe the issues (reported on NANOG specifically) related to ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be mostly related to 216.168.225.0/24 with some smatterings in 216.168.228.0/24. Some examination during the event, and since then, would indicate that traceroutes to these /24s result in endpoints that are in the same location, apparently in the DC area. Anycast would not seem to be involved.
It further seems that these nameservers are used primarily by customers of their bundled with a domain name dns offering, with minimal cost. There are in excess of 300,000 domains that point to ns*.worldnic.net as being authoritative, that I have been able to identify so far. It seems that a large number of domain name registrants might have been affected, although many were unaware.
And I assume that it is obvious that this is all "Network Solutions", the Registrar Business, as distinct from the now completely unrelated company, Verisign, the Registry Operator.
Rodney Joffe CenterGate Research Group, LLC http://www.centergate.com "Technology so advanced, even WE don't understand it"(R)