[dns-operations] ANONS reflection attack?

L. Aaron Kaplan kaplan at cert.at
Fri Sep 14 12:34:00 UTC 2012


Dear gents and YLs,

In  an ISP  network that I am taking care of in my spare time, we are seeing lots of TXT requests for "ki.ro.lt" to some open recursive nameservers (which we are trying to shot down, but that's not so easy with dnsmasq and distributed Wi-Fi boxes)
Are you seeing similar attacks at the moment?


$ dig @some_nameserver   -t txt ki.ro.lt
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.3 <<>> @some_nameserver-t txt ki.ro.lt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57311
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ki.ro.lt.                      IN      TXT

;; ANSWER SECTION:
ki.ro.lt.               113     IN      TXT
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
"SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"

;; Query time: 110 msec
;; SERVER: 193.238.157.16#53(193.238.157.16)
;; WHEN: Fri Sep 14 12:57:24 2012
;; MSG SIZE  rcvd: 3878

---
//  CERT Austria
//  L. Aaron Kaplan <kaplan at cert.at>
//  T: +43 1 505 64 16 78
//  http://www.cert.at
//  Eine Initiative der NIC.at Internet Verwaltungs- und Betriebs GmbH
//  http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120914/aae3c9fc/attachment.sig>


More information about the dns-operations mailing list