24 Sep
2013
24 Sep
'13
12:11 a.m.
On 9/23/2013 5:01 PM, fire-eyes wrote:
It's DNS reflection attack noise:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
This is a good blog for observing the domains and frequent correlation of items in whois and other traits that indicate much of this is done by the same actors.
Thanks for the pointer. :-) - ferg
On 09/23/2013 12:55 PM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
-chris
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com