[dns-operations] DDoS attack data collection
Graeme Fowler
graeme at graemef.net
Wed Jan 28 14:34:55 UTC 2009
Hi
On Wed, 2009-01-28 at 06:27 -0800, Brian Keefer wrote:
> There are two new IPs as of this morning between 3AM and 4AM Pacific:
> 70.86.80.98
> 64.57.246.123
Interesting you should mention that; I just posted this to NANOG (apols
if you get it more than once)...
On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote:
> At 12:07:16 local time here in sweden, I saw a new address
> 70.86.80.98. At 12:09:36 another new address 64.57.246.123
> At 12:20:10 the address 70.86.80.98 started to ask for funny domain
> name like:
> "pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it was
> back to just ask for the .NS records again.
Same here - times different, though, in that it appeared at 1120 UTC and
disappeared at 1159 UTC. There were 194 entries.
Every query was the same format - a 32-byte lower case alphanumeric
string, differing at the following positions marked with a period:
......aaaafw.0000d.aaabaaa......
I expect that others will have seen similar patterns with differing
fixed strings. I'm also starting to wonder if this is something to with
the downadup/conficker worm, or another botnet.
Graeme
More information about the dns-operations
mailing list