[dns-operations] .se being used as seed data in dns attacks

william(at)elan.net william at elan.net
Thu Aug 10 18:51:59 UTC 2006


I've noticed that one of the servers (that is open to public but in 
limited form which I'm not about to start explaining here) there are
'ANY' requests coming for "se". This to me looks like an attempt to
cause DoS like we all heard about in last months. The ips that get 
firewalled for such requests appear to be several in a country that
US and few others have problems with (which in fact it means its 
an attack on servers on that country, somebody interested may ask
me privately).

In any case I want to print here results of what se zone looks like,
I think its a bit too long even (or especially) for GTLD. And yes
I know "se" is trying to be good netizen and be in the front with
all the latest technologies, but issue appears to be that its
exactly because their zone is being used in this way. This kind-of
points out to what can happen if you deploy this all as well...

; <<>> DiG 9.2.4 <<>> @<removed> any se
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51722
;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 9, ADDITIONAL: 12

;; QUESTION SECTION:
;se.                            IN      ANY

;; ANSWER SECTION:
se.                     7200    IN      TYPE47  \# 17 
03302D3002736500000722008000000380
se.                     3600    IN      TYPE48  \# 134 
010003050103E15F61F2AB243F8594A8F916B6976AB5D2D87AFF77F7 
E0BE36FAF5C922619DBB2A7450035800A753EB1FDCB7433D1E05F6C2 
1DFC6530754F5BEDC469953271CDC04E894B364CF7039F0309CD87B6 
928F33965AC8E52649BA73E43EE5EDD2BB2D391F63676318195E7594 
0A11A9803039B53603F69E79547EAA17BA241C075D7B
se.                     3600    IN      TYPE48  \# 264 
0101030503010001AC4F31C476C741DB415E1679907AA040D7FABD10 
33AE4A6E14E3AD6D596804663E111965EDD8F627E012EABBBD9FF319 
951D106356CBE259CEEB34954A6DC208C6C21512D79E7C1DBE092946 
DB39370CF29C17963D04897DE80C55668C73B8E3880B9013942947FF 
982EC7BDFC181FF05EDB61A70A5AE29CA269D4E838CB0CCEF5682532 
4EE36DF5B7DE050ABE2AD31EBDB918BED24D053305BE54B31B7C9609 
F24D41ECD6DDC9C0263984A67A0AA1719805593F6D228138B18A7FF5 
2DCAE05FF28C10677F6EEBC5E2A242C9DBA2787BA4B98DC7E1730071 
1FB189ADA72143EF9BFA32591F015BF8567733AF9D20938651DFDF18 
9895E0DBB7FA35393434F40D
se.                     3600    IN      TYPE48  \# 134 
010003050103AD167F76A691C119570228330943E29913E374A30B07 
6E33C1E262ABB860B354791176593482EED68E08E9C3FE665745D978 
8E7328CB752045F043A32FACBC9CB2150DDD20E59BF84BE9EF652410 
9DC9DD81552A8B031B38786D583E4E52CC119578A48D3316237A49E8 
FC14FB723DFC9C20DBD4F2EEB0FFF044B76C398206ED
se.                     3600    IN      TYPE48  \# 134 
010003050103C048CC42C941D5344B92DFE8B2A617FEA64F59491D4F 
92B557C46E3E61E9B3F23891F45218A9B1D798AFA68697C3CD0A9D95 
AE959B16A6814210DFFE753655A7648730647EB92F5234DD6BF4FE99 
9DD22BFF5DEB39A722E5982A4EA610C9DBA6EB308A91F8AD05F809FB 
30364574ABD4F40048E628CDCC6D78536958F7A9835F
se.                     3600    IN      TYPE48  \# 134 
010003050103C7E11932776F208FCBF8E392C4095B89C9130473E4B6 
7AF22A5C73AD8AF5010DED0EA13E38AE6B791CFDD918A5C23706B536 
3399A49C1A93D01788AE159A1B7EF1CCF474483C15D0D1DFA6E7ED09 
F957535F27383D19129114C6EDFE9BDF905756FDA10B55B691CF9391 
EA8907169753B2D4B76908645129C41BB2F28D049795
se.                     3600    IN      TYPE46  \# 150 
002F050100001C2044E19EC744D96D35D3E502736500C4A98446D22E 
AC637CFD0DD676A83782397E17DF4877896979EB05783DF8EB56ED2D 
CF78A068191270B6CFBF76B6C652CAB6CF5104D873FA97CA82F7EFF7 
4E15FA25DC19273D261F4F0FB296AD60B627A5BA621381876A462DAF 
7C6FD398A5FF8884F7652314CEF732671B37280DCA4018E82A59C5E1 
DB676EE627815A624F88
se.                     3600    IN      TYPE46  \# 150 
0030050100000E1044E1CB6444D98956D3E502736500327461F91D94 
2D575E63731D3DB1A4C4A01408880F98D800144FD520D1C828FA92D1 
330D6B7FEF8719063922927F50EEC0A6DC02A6FAED538B489EF67A69 
27CC33CB8D11990ADC30AC06B7A10060D23DE0B2DD9B8D6DA62EC9A5 
1FD3EC5AFFD714B38124FF5A6F5949C8CCD0E38C9CFD7F55E557C7EB 
9E60D3B94FCE9355E8BA
se.                     3600    IN      TYPE46  \# 278 
0030050100000E1045089B8044CDCEBF45160273650069CE0FE1E01F 
4738A9AE6F94E5D7C3433F6F2C24DA22145C32AA8C567B0A39A38C8C 
C12CB697F92880C03F662B027C43B98939E189B87E526F388C75442E 
A4CA3C5A77BAC31C9BE1A7B6DF46689873C04C2499E6ACECA8F0E6DC 
1A87748D1ED9619CC06914928A9C9AC062D81FA48E90B6CC294AAC10 
5BE5A8A6DE38E126467ED4CF83DB2E1EAA2B9696EE6E6D9A91838044 
21370BA554FCAFA3D199BDA4DFA6AFF057EFE122E6C27D1444B8FC5C 
03F8331883CF4B01BBDE01C63ED8E566AE6554653425C748C3D3B608 
419444F8002AEDF985B7A7337FBE4A8DE215CF15F00D07724AB2E645 
C47DFCD9EAA934F7E1C2C57A81CE6E643E9951A09EBF4D445175
se.                     3600    IN      TYPE46  \# 150 
000205010002A30044E2DF6844DB6776D3E5027365003471BE447A79 
D93B68D7202A8B5E45B78E7EEE0D17696A8B86BBBCFC9306C849F488 
56B756983EE27E34553998FBCED9963B973331AB750C1599846476E3 
07E45DA3B00AA19CE42E22E880073E4F69709C20889EDD47C5DEC41F 
44219A02EF96D5E0C7F942DCA6C586E043FA9AB6AF7B5BD6EB66C9FC 
FCE197F56B620F97A314
se.                     3600    IN      TYPE46  \# 150 
000605010002A30044E3E11444DB6776D3E5027365006C93598C9848 
4C892EF2B1246F6FE15127B8884C94CDD656A9458B7DA3BD1D79C26A 
F262CA252E4F0CC24D5807A2EA3AB405DE6E04093C780F77C58EFFB4 
EEACDD0D05CD9271499387496C9B72A494C04714EA0B6E497B8F9058 
B646C1C2D0F74A78B4CB4A004D3F7AACB23C71400E9DAF8502809488 
C520644998DB76404F06
se.                     3600    IN      TYPE46  \# 150 
001005010001518044E409FB44DB6776D3E502736500B66B46C225C3 
9D99998A6E7E42D2680DFF30E06C78B8AC3B69FD0B2369361270760B 
05C659B318B8192F3E563DB640254D91021B747BD114300045CDCA90 
212B3C34F2B7619AFBDDED94F68E9B9F4461D6733E82745189B9EBA6 
86501BDC6911E066D69BCA3BCD26B3F89E4B6A0B78E09C8577C16186 
D74E0D63450B9E920048
se.                     86400   IN      TXT 
"http://www.nic.se/english/domaner/autoompekning.shtml?lang=en"
se.                     86400   IN      TXT     "SE" "zone" "update:" 
"2006-08-10" "20:00:38" "+0200" "EPOCH" "1155232838"
se.                     86400   IN      TXT     "Read instructions before 
sending requests of update"
se.                     172800  IN      SOA     catcher-in-the-rye.nic.se. 
registry.nic-se.se. 2006081010 1800 1800 2419200 7200
se.                     172800  IN      NS      c.ns.se.
se.                     172800  IN      NS      d.ns.se.
se.                     172800  IN      NS      e.ns.se.
se.                     172800  IN      NS      f.ns.se.
se.                     172800  IN      NS      g.ns.se.
se.                     172800  IN      NS      h.ns.se.
se.                     172800  IN      NS      i.ns.se.
se.                     172800  IN      NS      a.ns.se.
se.                     172800  IN      NS      b.ns.se.

;; AUTHORITY SECTION:
se.                     172800  IN      NS      h.ns.se.
se.                     172800  IN      NS      i.ns.se.
se.                     172800  IN      NS      a.ns.se.
se.                     172800  IN      NS      b.ns.se.
se.                     172800  IN      NS      c.ns.se.
se.                     172800  IN      NS      d.ns.se.
se.                     172800  IN      NS      e.ns.se.
se.                     172800  IN      NS      f.ns.se.
se.                     172800  IN      NS      g.ns.se.

;; ADDITIONAL SECTION:
a.ns.se.                45240   IN      A       192.36.144.107
a.ns.se.                45240   IN      AAAA    2001:698:9:301::53
b.ns.se.                45240   IN      A       192.36.133.107
c.ns.se.                45240   IN      A       192.36.135.107
d.ns.se.                45240   IN      A       81.228.11.57
e.ns.se.                45240   IN      A       81.228.10.57
f.ns.se.                45240   IN      A       192.36.125.53
f.ns.se.                45240   IN      AAAA    2001:6b0:7::53
g.ns.se.                45240   IN      A       130.242.94.19
g.ns.se.                45240   IN      AAAA    2001:6b0:7:53::53
h.ns.se.                45240   IN      A       199.7.49.30
i.ns.se.                45240   IN      A       194.146.106.22

;; Query time: 34 msec
;; SERVER: <removed>
;; WHEN: Thu Aug 10 11:28:15 2006
;; MSG SIZE  rcvd: 2794



More information about the dns-operations mailing list