[dns-operations] DDoS attack data collection

Brian Keefer chort at smtps.net
Wed Jan 28 14:44:27 UTC 2009


On Jan 28, 2009, at 6:34 AM, Graeme Fowler wrote:
>
> On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote:
>> At 12:07:16 local time here in sweden, I saw a new address
>> 70.86.80.98. At 12:09:36 another new address 64.57.246.123
>> At 12:20:10 the address 70.86.80.98 started to ask for funny domain
>> name like:
>> "pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it  
>> was
>> back to just ask for the .NS records again.
>
> Same here - times different, though, in that it appeared at 1120 UTC  
> and
> disappeared at 1159 UTC. There were 194 entries.
>
> Every query was the same format - a 32-byte lower case alphanumeric
> string, differing at the following positions marked with a period:
>
> ......aaaafw.0000d.aaabaaa......
>
> I expect that others will have seen similar patterns with differing
> fixed strings.  I'm also starting to wonder if this is something to  
> with
> the downadup/conficker worm, or another botnet.
>
> Graeme

In that case I'm going to add those IPs to the script here to collect  
more info.  Hopefully Duane doesn't mind.

By the way, it's all very programmatic.  Requests "from" 70.86.80.98  
are exactly 3 times more frequent than requests "from" 64.57.246.123.

--
bk







More information about the dns-operations mailing list