[dns-operations] MX record scanning
sia at nest.org
Mon May 9 23:56:30 UTC 2011
Sebastian Castro writes:
> On 05/10/2011 06:55 AM, Stephane Bortzmeyer wrote:
> > On Mon, May 09, 2011 at 09:06:06AM -0700,
> > Carlos Vicente <cvicente.lists at gmail.com> wrote
> > a message of 155 lines which said:
> >> In the last week or so I've noticed a significant increase in
> >> queries per second on one of our authoritative servers, which
> >> happens to be secondary for a number of TLDs. A quick inspection of
> >> the traffic patterns seems to indicate an MX record scanning process
> > It seems in the same league as the MX scanning seen by .CL and
> > reported by Mauricio Vergara Ereche at the OARC meeting in San
> > Francisco
> > <https://www.dns-oarc.net/files/workshop-201103/20110314-ccNSO-Query-Storm_affecting_CL-mave.pdf>. You
> > should compare your pcap files.
> SIDN (.NL) reported similar situation long time ago with "retries" from
> time to time. We NZRS (.NZ) see that too, as well as, CIRA (.CA).
We see DNS storm similar to one described by Mauricio of .CL happening for .UA, starting Friday ~18:00 PST:
- MX queries for nonexistent random 2nd level .UA domains
- transaction ID < 256
- recursion desired bit set
- source IP's from all over the world (~12K source IPs seen in 30 minutes)
- random sampling of ~20 top IP's shows those listed as mail / spam sources in http://www.projecthoneypot.org/
Query rates maxed out at ~4-5K/sec per nameserver for well-connected anycast instances,
which puts aggregate storm request rate for .UA at under 40K/second.
The storm seems to have mostly calmed down around noon PST today.
So far we were not able to confirm if source addresses were indeed faked (and it's a DNS amplification attack
against spammers, a weak one at that), or, reverse, it's a SPAM botnet gathering list of valid domains via brute-force;
second option does appear more likely.
.UA technical contact - Hostmaster Ltd - Intuix LLC
More information about the dns-operations