To be more specific, at 16:17:13 today we saw a large volume of reverse DNS lookups from IP addresses that WHOIS to capitalone-bank. We suspect this may be a leadup to a DNS query based DDoS attack and they are creating a word list for the automated attack. I wanted to share the info now so everyone can be on the lookout for similar activity.

{ "cidr": "204.63.32.0/19", "city": "McLean", "state": "VA", "postal": "22102", "update": "2011-07-25", "address": "1680 Capital One Drive", "country": "US", "netname": "CAPITALONE-BANK", "nettype": "Direct Allocation", "orgname": "Capital One Financial Corporation", "regdate": "2001-02-12", "netrange": "204.63.32.0 - 204.63.63.255", "org_tech_email": "brian.dymon@capitalone.com", "org_tech_phone": "+1-804-314-4829", "org_abuse_email": "brian.dymon@capitalone.com", "org_abuse_phone": "+1-804-314-4829" }

On Wed, Sep 21, 2022 at 11:08 AM Eric Bennick ebennick@weber.edu wrote:

Andrew, can we add an agenda item to discuss unusual DNS activity and compromised accounts?

On Mon, Sep 19, 2022 at 11:06 PM Andrew Goble via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:

...

Tentative Agenda Attached. Please let me know if there are other pressing items and I'll fit them in.

Zoom Info: Andrew Goble is inviting you to a scheduled Zoom meeting.

Topic: USHE ISO Meeting

Time: Sep 22, 2022 02:00 PM Mountain Time (US and Canada)

Join Zoom Meeting

https://utahtech-edu.zoom.us/j/87208272178?pwd=bHcxRkxLcHhxUng2VnVzMEFQTm5tZ...

Meeting ID: 872 0827 2178

Passcode: yh!8.6

Thanks, Andrew -- USHE-ISO mailing list USHE-ISO@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso