I'm doing a bit of cursory research into GreyNoise data WRT CVE-2020-1350.
The following IPs have blasted the Internet with large DNS requests (>1000 bytes) in the past 24 hours:
(sorted by packet count)
16 89.196.51.73
13 5.209.199.204
12 62.102.143.106
10 188.212.245.149
8 83.121.87.154
8 178.131.68.39
8 152.32.112.43
8 129.205.124.80
7 86.55.29.52
7 85.239.210.131
7 5.52.63.89
7 196.189.60.50
7 122.194.12.206
7 116.153.38.240
6 117.239.248.202
5 42.48.77.45
5 37.129.65.32
5 183.94.82.64
5 154.231.235.98
5 117.156.51.253
5 109.108.176.127
4 82.199.208.88
4 221.197.97.140
4 188.212.245.178
4 123.179.5.104
4 121.57.15.77
4 120.253.230.244
4 115.154.172.137
4 109.108.180.101
3 66.222.169.24
3 59.175.86.134
3 196.188.240.111
3 179.232.121.150
3 159.226.231.197
3 154.230.30.118
3 154.227.108.201
3 154.160.2.66
3 114.248.73.185
3 111.165.230.57
2 93.117.177.48
2 61.187.64.82
2 180.168.100.46
2 125.121.227.130
2 122.115.236.45
2 103.28.132.8
1 223.104.63.221
1 196.188.12.80
1 188.160.11.35
1 183.54.43.185
1 180.169.63.24
1 180.167.119.62
1 176.55.128.73
1 122.189.240.242
1 117.143.101.152
1 116.77.73.252
1 113.200.106.130
1 112.32.130.95
1 111.26.108.134
1 111.205.88.238
1 111.202.190.23
It's important to note that these packets can be spoofed by anyone with access to networks configured to allow it, which certainly muddies the waters.
Copy/paste this gist here (https://viz.greynoise.io/analysis) for a quick and dirty analysis.
Or drive through the following absolutely revolting GreyNoise visualizer query to look at these devices in GN individually.
More on this as soon as the situation develops.
--Andrew
Looks like I forgot to attach the revolting GNQL query. Stand by....