[dns-operations] annoying DDoS attack on ns0.rfc1035.com

[Jim Reid]

My name server has been getting hammered with queries for ihren.org --  
one of the zones it serves -- since around 00:00 GMT today. [The  
attack may have started earlier and I just didn't notice it.] The box  
is getting ~400 qps for this name. The queries come from the same IP  
address, just repeating over and over. The source port number changes  
after 25 queries or so. As soon as I get BIND to blackhole the  
offending prefix, another host pops up to take its place: repeated  
queries at with a broken UDP checksum from a single IP address at a  
time.

Most of these IP addresses belong to N. American cable companies. I've  
not yet been in touch with their abuse PoCs and a ticket's been opened  
with my ISP.

There's clearly a botnet at work. Buy why target one of Johan's  
personal domain names and/or my server? The box doesn't host anything  
controversial or important like a TLD: just my mail service and DNS  
for friends and family. Which is of course very important to me. :-)

Is it worth trying to find the ultimate source of this attack? If so,  
how? Is anyone else here seeing similar behaviour?

At present, the attack is an irritant. I get a 300MB query log file in  
about an hour. The log files have been filled and rotated so quickly,  
I can't tell when the attack actually started.

In case anyone cares, here's a traffic summary for what's been logged  
for today's activity: timestamp (UTC + 1H), source IP address and  
number of queries.


02:05:25.109 37.221.160.125     1254725
02:05:25.165 37.221.160.58      1650971
03:13:04.519 109.163.231.194    2275
03:13:04.528 108.162.199.174    22975
03:13:49.837 72.83.254.246      11650
03:14:13.774 68.68.27.34        506275
03:16:46.613 70.169.139.138     67807
03:21:57.699 37.59.45.56        10600
03:25:49.969 71.206.56.48       1750
03:26:24.450 199.188.205.16     77275
03:28:14.120 97.85.50.249       21250
03:29:50.625 74.125.142.121     3725
03:30:19.704 68.39.235.244      5200
03:31:46.216 75.64.105.195      21725
03:32:30.356 86.27.70.219       124302
03:33:52.017 24.224.197.114     47497
03:34:57.732 176.31.239.138     73500
03:37:59.096 74.63.212.11       19828
03:40:53.532 99.250.191.144     37580
03:41:35.057 24.238.83.41       100185
03:42:18.919 216.164.56.153     67194
03:45:58.753 37.59.209.215      37025
03:48:59.630 71.53.234.236      18125
03:50:52.867 173.206.1.110      105394
03:50:52.888 107.22.210.22      18150
03:53:10.886 23.13.33.251       18125
03:53:53.755 209.188.76.48      3475
03:55:27.412 109.235.51.79      57675
03:55:33.042 96.236.223.254     75032
03:58:33.604 65.191.17.52       27100
04:00:20.036 50.31.22.36        18325
04:01:58.330 216.99.100.216     14400
04:02:32.137 75.120.199.89      36350
04:04:00.537 67.160.34.228      31625
04:07:16.164 24.191.203.164     39325
04:08:48.241 68.186.254.104     89550
04:09:34.216 95.92.225.194      66975
04:11:13.605 208.94.146.81      55500
04:11:58.728 99.227.202.54      59825
04:17:11.484 69.63.55.32        5400
04:18:57.015 74.133.168.16      31008
04:19:31.763 67.87.253.98       50656
04:19:54.512 66.225.198.227     62713
04:24:59.471 72.29.88.50        14925
04:25:58.763 173.60.166.185     17950
04:26:21.322 68.119.225.154     54525
04:26:51.990 81.193.188.175     33200
04:30:26.306 187.173.172.211    54625
04:32:16.303 76.22.120.220      17550
04:32:32.041 76.14.215.65       37450
04:32:56.195 68.81.102.108      43262
04:33:09.389 70.100.61.46       18300
04:33:32.906 96.225.167.233     10300
04:35:55.676 74.56.249.128      20375
04:43:06.356 210.49.193.196     262823
04:44:51.027 123.2.170.211      31425
04:45:08.373 108.12.192.134     17325
04:45:24.444 66.168.176.245     188886
04:47:46.158 206.74.233.106     20713
04:48:39.420 70.228.80.154      20144
04:49:32.988 70.123.159.195     102085
04:50:24.385 99.106.221.199     49249
04:50:56.001 69.175.104.34      36343
04:51:18.681 98.244.162.179     15004
04:56:02.691 98.234.82.75       7150
04:57:29.224 98.230.153.124     52975
04:57:46.648 71.99.127.134      18775
04:57:55.190 66.176.182.213     55575
05:00:27.535 199.19.94.210      23350
05:01:04.261 99.120.236.115     22475
05:07:39.794 109.235.252.206    216597
05:11:36.202 24.47.70.224       76674
05:12:13.953 68.207.150.119     195997
05:12:22.868 67.68.213.184      8385
05:13:07.837 68.62.34.184       50435
05:13:17.376 216.106.235.23     19905
05:16:36.907 71.183.189.194     4841
05:17:32.671 99.169.118.51      16248
05:18:29.874 173.208.253.90     36468
05:18:41.007 98.23.134.69       17524
05:19:37.124 71.186.150.68      14959
05:24:13.199 12.105.101.155     178702
05:24:13.218 108.220.170.141    86973
05:24:13.247 188.165.30.110     353970
05:24:13.304 212.1.210.28       122810
05:24:13.366 24.19.121.149      41539
05:24:30.170 24.199.4.246       169566
05:24:31.261 173.174.88.61      3672
05:28:46.392 68.174.250.25      163981
05:29:18.847 94.169.6.58        4814
05:30:22.833 99.181.162.20      150529
05:30:33.651 108.193.96.183     85331
05:32:51.390 184.58.63.31       126797
05:33:12.208 65.31.245.98       13676
05:33:58.756 216.172.190.21     5565
05:34:09.239 96.245.185.115     5354
05:35:56.422 173.24.250.227     1522
05:35:57.131 69.65.40.13        73004
05:36:05.502 210.1.203.167      156932
05:37:38.005 67.140.45.107      69082
05:38:09.574 122.49.176.183     59081
05:38:11.254 75.108.237.251     24351
05:38:14.659 128.204.204.8      24237
05:39:25.857 173.254.28.58      3033
05:41:15.090 70.181.14.111      61913
05:41:24.765 60.225.137.143     61809
05:41:30.829 209.170.124.203    19336
05:44:12.604 109.123.111.250    37351
05:44:58.706 178.33.61.202      27127
05:46:32.842 173.199.80.8       8419
05:46:35.546 173.54.234.111     8238
05:47:09.800 68.46.184.161      59259
05:48:01.100 24.144.144.147     12131
05:48:21.050 124.188.122.105    7905
05:49:03.546 81.65.99.24        8922
05:49:12.056 98.87.8.182        27828
05:51:35.195 70.156.111.86      30205
05:52:17.498 64.68.250.120      3689
05:52:26.014 208.126.108.17     8832
05:53:15.910 68.52.58.227       3051