[dns-operations] nameservers being attacked

Rubens Kuhl rubensk at nic.br
Tue Nov 26 09:22:47 UTC 2013


Em 26/11/2013, à(s) 00:22, Mark Andrews <marka at isc.org> escreveu:

> 
> In message <5293FA31.9030204 at dnsbed.com>, Dnsbed Ops writes:
>> Hello,
>> 
>> My nameservers currently have been meeting the attacks.
>> All  these queries are against one special domain, from the seemed fake IPs.
>> And those eat up the bandwidth quickly since I run the nameservers with 
>> hosting servers.
>> Can you help? Thanks in advance.
> 
> The logs actually look like the queries are from recursive servers
> following normal recursion looking at the mixture of flags and that
> they are directed at a official server for the zone.
> 
> ns6.cloudwebdns.com.	3600	IN	A	116.251.209.248
> ns6.cloudwebdns.com.	3600	IN	A	192.208.187.242
> 
> I suspect something is trying to detect whether there is nxdomain
> redirection occuring by prepend a random string to www.byw.so.


Which follows the known Chromium (main Google Chrome component) pattern of a few  random 10-character requests for every search query to make such detection.


Rubens



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131126/9648bd46/attachment.html>


More information about the dns-operations mailing list