[dns-operations] MX record scanning

Antoin Verschuren antoin.verschuren at sidn.nl
Tue May 10 11:53:15 UTC 2011

Hash: SHA1

On 10-05-11 01:56, Igor Sviridov wrote:

> We see DNS storm similar to one described by Mauricio of .CL happening for .UA, starting Friday ~18:00 PST:
> - MX queries for nonexistent random 2nd level .UA domains
> - transaction ID < 256
> - recursion desired bit set
> - source IP's from all over the world (~12K source IPs seen in 30 minutes)
> - random sampling of ~20 top IP's shows those listed as mail / spam sources in http://www.projecthoneypot.org/
> Query rates maxed out at ~4-5K/sec per nameserver for well-connected anycast instances,
> which puts aggregate storm request rate for .UA at under 40K/second.
> The storm seems to have mostly calmed down around noon PST today.
> So far we were not able to confirm if source addresses were indeed faked (and it's a DNS amplification attack
> against spammers, a weak one at that), or, reverse, it's a SPAM botnet gathering list of valid domains via brute-force;
> second option does appear more likely.

And to add to this,
This started some years ago, and is definately a SPAM botnet gathering a
list of valid domains, as the querynames mostly came out of a spambot
killer script from an open source CMS.
3 years ago, we had spikes of only a few hours, about once a month.
Nowadays, it can last days.

Other fingerprint is that the botnet clients request the same queryname
multiple times from the same IP within seconds, and mostly it's a
multiple of 12. This makes me believe it's the same botnet client
software, and together with the other characteristics it's definately
custom software that does not use standard resolvers.

The question now is, what to do with the data.
If you analyse your querylog with the characterisics above, you have an
almost certain list of affected botnet clients.
Should we alert local CERTs to inform ISP's to tell their customers ?

If there should be a topic a DNS-CERT should handle, I think it's this
one, as it needs coordination, and it clearly attacks or at least
affects the DNS system as a whole. If DNS-OARC should wish to perform a
task like this, this would be a start.

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the dns-operations mailing list