To be more specific, at 16:17:13 today we saw a large volume of reverse DNS lookups from IP addresses that WHOIS to capitalone-bank. We suspect this may be a leadup to a DNS query based DDoS attack and they are creating a word list for the automated attack. I wanted to share the info now so everyone can be on the lookout for similar activity.

{
"cidr": "204.63.32.0/19",
"city": "McLean",
"state": "VA",
"postal": "22102",
"update": "2011-07-25",
"address": "1680 Capital One Drive",
"country": "US",
"netname": "CAPITALONE-BANK",
"nettype": "Direct Allocation",
"orgname": "Capital One Financial Corporation",
"regdate": "2001-02-12",
"netrange": "204.63.32.0 - 204.63.63.255",
"org_tech_email": "brian.dymon@capitalone.com",
"org_tech_phone": "+1-804-314-4829",
"org_abuse_email": "brian.dymon@capitalone.com",
"org_abuse_phone": "+1-804-314-4829"
}

On Wed, Sep 21, 2022 at 11:08 AM Eric Bennick <ebennick@weber.edu> wrote:

Andrew, can we add an agenda item to discuss unusual DNS activity and compromised accounts?

On Mon, Sep 19, 2022 at 11:06 PM Andrew Goble via USHE-ISO <ushe-iso@lists.dixie.edu> wrote:

Tentative Agenda Attached. Please let me know if there are other pressing items and I'll fit them in.

Zoom Info:

Andrew Goble is inviting you to a scheduled Zoom meeting.

Topic: USHE ISO Meeting

Time: Sep 22, 2022 02:00 PM Mountain Time (US and Canada)

Join Zoom Meeting

https://utahtech-edu.zoom.us/j/87208272178?pwd=bHcxRkxLcHhxUng2VnVzMEFQTm5tZz09

Meeting ID: 872 0827 2178

Passcode: yh!8.6

Thanks,

Andrew

--
USHE-ISO mailing list
USHE-ISO@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso