[dns-operations] nameservers being attacked
Rubens Kuhl
rubensk at nic.br
Tue Nov 26 09:22:47 UTC 2013
Em 26/11/2013, à(s) 00:22, Mark Andrews <marka at isc.org> escreveu:
>
> In message <5293FA31.9030204 at dnsbed.com>, Dnsbed Ops writes:
>> Hello,
>>
>> My nameservers currently have been meeting the attacks.
>> All these queries are against one special domain, from the seemed fake IPs.
>> And those eat up the bandwidth quickly since I run the nameservers with
>> hosting servers.
>> Can you help? Thanks in advance.
>
> The logs actually look like the queries are from recursive servers
> following normal recursion looking at the mixture of flags and that
> they are directed at a official server for the zone.
>
> ns6.cloudwebdns.com. 3600 IN A 116.251.209.248
> ns6.cloudwebdns.com. 3600 IN A 192.208.187.242
>
> I suspect something is trying to detect whether there is nxdomain
> redirection occuring by prepend a random string to www.byw.so.
Which follows the known Chromium (main Google Chrome component) pattern of a few random 10-character requests for every search query to make such detection.
Rubens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131126/9648bd46/attachment.html>
More information about the dns-operations
mailing list