[dns-operations] DDoS attack data collection
chort at smtps.net
Wed Jan 28 14:44:27 UTC 2009
On Jan 28, 2009, at 6:34 AM, Graeme Fowler wrote:
> On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote:
>> At 12:07:16 local time here in sweden, I saw a new address
>> 22.214.171.124. At 12:09:36 another new address 126.96.36.199
>> At 12:20:10 the address 188.8.131.52 started to ask for funny domain
>> name like:
>> "pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it
>> back to just ask for the .NS records again.
> Same here - times different, though, in that it appeared at 1120 UTC
> disappeared at 1159 UTC. There were 194 entries.
> Every query was the same format - a 32-byte lower case alphanumeric
> string, differing at the following positions marked with a period:
> I expect that others will have seen similar patterns with differing
> fixed strings. I'm also starting to wonder if this is something to
> the downadup/conficker worm, or another botnet.
In that case I'm going to add those IPs to the script here to collect
more info. Hopefully Duane doesn't mind.
By the way, it's all very programmatic. Requests "from" 184.108.40.206
are exactly 3 times more frequent than requests "from" 220.127.116.11.
More information about the dns-operations