[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

d6991.com traffic

Subject: d6991.com traffic
From: bmeshier at amherst.com (Meshier, Brent)
Date: Mon, 23 Sep 2013 17:11:04 +0000
In-reply-to: <CAP+vuLXX8UOE8NSB3ht5L-Rj-kfMhmHmXimojPv6qG=wD7449w@mail.gmail.com>
References: <CAP+vuLXX8UOE8NSB3ht5L-Rj-kfMhmHmXimojPv6qG=wD7449w@mail.gmail.com>

Could be DNS packet tunneling to China, bad news.

https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

-----Original Message-----
From: Christopher Hunt [mailto:dharmachris at gmail.com]
Sent: Monday, September 23, 2013 11:55 AM
To: nanog at nanog.org
Subject: d6991.com traffic

Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
 75% of the traffic is for d6991.com.  Does anyone else see this?  Who are these folks (WEBNIC.CC)?

-chris

--- Please refer to http://www.amherst.com/amherst-email-disclaimer/ for important disclosures regarding this electronic communication.

References:
- d6991.com traffic
  - From: dharmachris at gmail.com (Christopher Hunt)

Prev by Date: d6991.com traffic
Next by Date: d6991.com traffic
Previous by thread: d6991.com traffic
Next by thread: d6991.com traffic
Index(es):
- Date
- Thread