[CDP-development] Recent IOCs

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu Apr 16 08:49:43 PDT 2026 

Brief Description of the incident:
On April10, 2026, DDoS traffic began displaying in one of our security tools. The attack destination was one of State of Oregon’s (SoO) external DNS servers using UDP port 53. During observation, the average attack was about 300Kbps but peaks were at 1.0-2.1Mbps.
As of April 14th, 2026 at 1300 hrs the attack is still ongoing and our provider is dropping attack traffic for UDP port 53.
Peak attacks last 1-3 minutes. Attacks times have varied between 20min – 1.5+ hrs.
The top 5 attack sources seen thus far are the following:
IP Address
Source Location
117.144.107.66/32
China
42.187.141.94/32
China
69.252.228.139/32
US
1.13.14.98/32
China
37.140.164.224/32
Russia

Additional actions: We have requested that our vendor implement geographic blocking aligned with the State’s sanctioned country restrictions.
At this time, the observed DDoS activity has not reached or impacted the State’s network perimeter, and no State-managed security controls have been engaged. The activity is currently being observed and handled upstream through our third-party provider, Link Oregon.
As a proactive measure, we have asked the vendor to evaluate and implement country-based blocking consistent with State standards to further reduce potential exposure at the provider level.
Additional top talkers:
Iterations of these US IP’s have occurred in each attack. United States sources BGP AS42 (WoodyNet, Inc) - ref 74.63.16.0/20 - bgp.tools<https://bgp.tools/prefix/74.63.16.0/20#dns>.
IP Address
DNS
74.63.25.225
  res130.ams.rrdns.pch.net.
74.63.25.227
  res720.ams.rrdns.pch.net.
74.63.25.228
  res721.ams.rrdns.pch.net.
74.63.25.233
  res710.ams.rrdns.pch.net.
74.63.25.235
  res321.ams.rrdns.pch.net.
74.63.25.236
 res712.ams.rrdns.pch.net.
74.63.25.237
  res713.ams.rrdns.pch.net.
74.63.25.238
  (no corresponding DNS at this time)
74.63.25.242
  res100.ams.rrdns.pch.net.
74.63.25.243
  res200.ams.rrdns.pch.net.

Additional IOC’s:
IP Address
Source Location
185.219.143.13
Germany
185.219.143.12
Germany
101.227.5.113
China
112.25.12.136
China
113.250.177.10
China
59.37.178.78
China
219.128.79.177
China
219.128.128.102
China
173.252.87.131
US
69.252.228.153
US
69.252.228.139
US
69.252.228.145
US



Thanks,


[cid:image001.png at 01DCCD7D.191B7C30]
BRIAN GOERGEN, CISSP
Security Analyst III | Security Operations Center
Team Lead | Detection & Response
Enterprise Information Services | Cyber Security Services (CSS)
Phone: (503)507-4183 | Hotline: (503) 378-5930
“Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians.”


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260416/216c5c71/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260416/216c5c71/attachment-0001.png>

More information about the CDP-development mailing list