[dns-operations] ANONS reflection attack?

Joshua Anderson josh at afraid.org
Fri Sep 14 16:05:44 UTC 2012


I've suspended this hostname:

2012-09-13 18:20:26 2,517,331   0   ki.ro.lt    TXT "SOMOSANONYMOUS!!SOM...

Thanks for the note.

I have noticed more creations of these large TXT records in the
last year, which to me appear exclusively created for reflection
attack from what I can tell - (maybe even from the same
individual).

Thanks for the note.

Josh

L. Aaron Kaplan (kaplan at cert.at) @ Fri, Sep 14, 2012 at 02:34:00PM +0200 wrote :
> From: L. Aaron Kaplan <kaplan at cert.at>
> Date: Fri, 14 Sep 2012 14:34:00 +0200
> To: dns-operations at mail.dns-oarc.net
> X-Mailer: Apple Mail (2.1278)
> X-Spam-Status: No
> Cc: Kriegisch Adi <adi at kriegisch.at>
> Subject: [dns-operations] ANONS reflection attack?
> 
> 
> Dear gents and YLs,
> 
> In  an ISP  network that I am taking care of in my spare time, we are seeing lots of TXT requests for "ki.ro.lt" to some open recursive nameservers (which we are trying to shot down, but that's not so easy with dnsmasq and distributed Wi-Fi boxes)
> Are you seeing similar attacks at the moment?
> 
> 
> $ dig @some_nameserver   -t txt ki.ro.lt
> ;; Truncated, retrying in TCP mode.
> 
> ; <<>> DiG 9.7.3 <<>> @some_nameserver-t txt ki.ro.lt
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57311
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;ki.ro.lt.                      IN      TXT
> 
> ;; ANSWER SECTION:
> ki.ro.lt.               113     IN      TXT
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!"
> 
> ;; Query time: 110 msec
> ;; SERVER: 193.238.157.16#53(193.238.157.16)
> ;; WHEN: Fri Sep 14 12:57:24 2012
> ;; MSG SIZE  rcvd: 3878
> 
> ---
> //  CERT Austria
> //  L. Aaron Kaplan <kaplan at cert.at>
> //  T: +43 1 505 64 16 78
> //  http://www.cert.at
> //  Eine Initiative der NIC.at Internet Verwaltungs- und Betriebs GmbH
> //  http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> 
> 
> 



> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Joshua Anderson
Senior Admin @ FreeDNS.afraid.org
Now servicing 1,176,874 members and 95,119 domains.
Currently processing 3,200 DNS queries per second.

The highest compliment we could receive would be a premium membership.



More information about the dns-operations mailing list