[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

d6991.com traffic

Subject: d6991.com traffic
From: fergdawgster at mykolab.com (Paul Ferguson)
Date: Mon, 23 Sep 2013 17:11:03 -0700
In-reply-to: <[email protected]>
References: <CAP+vuLXX8UOE8NSB3ht5L-Rj-kfMhmHmXimojPv6qG=wD7449w@mail.gmail.com> <[email protected]>

On 9/23/2013 5:01 PM, fire-eyes wrote:

> It's DNS reflection attack noise:
>
> http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
>
> This is a good blog for observing the domains and frequent correlation
> of items in whois and other traits that indicate much of this is done by
> the same actors.
>


Thanks for the pointer. :-)

- ferg


> On 09/23/2013 12:55 PM, Christopher Hunt wrote:
>> Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
>>   75% of the traffic is for d6991.com.  Does anyone else see this?
>> Who are
>> these folks (WEBNIC.CC)?
>>
>> -chris
>>
>
>
>
>


-- 
Paul Ferguson
Vice President, Threat Intelligence
Internet Identity, Tacoma, Washington  USA
IID --> "Connect and Collaborate" --> www.internetidentity.com

References:
- d6991.com traffic
  - From: dharmachris at gmail.com (Christopher Hunt)
- d6991.com traffic
  - From: sgtphou at fire-eyes.org (fire-eyes)

Prev by Date: d6991.com traffic
Next by Date: iOS 7 update traffic
Previous by thread: d6991.com traffic
Next by thread: spam to nanog folks from qualisystems.com?
Index(es):
- Date
- Thread