[dns-operations] nameservers being attacked

Damian Menscher damian at google.com
Tue Nov 26 17:29:02 UTC 2013


On Tue, Nov 26, 2013 at 1:22 AM, Rubens Kuhl <rubensk at nic.br> wrote:

> Em 26/11/2013, à(s) 00:22, Mark Andrews <marka at isc.org> escreveu:
>
> In message <5293FA31.9030204 at dnsbed.com>, Dnsbed Ops writes:
>
> Hello,
>
> My nameservers currently have been meeting the attacks.
> All  these queries are against one special domain, from the seemed fake
> IPs.
> And those eat up the bandwidth quickly since I run the nameservers with
> hosting servers.
> Can you help? Thanks in advance.
>
>
> The logs actually look like the queries are from recursive servers
> following normal recursion looking at the mixture of flags and that
> they are directed at a official server for the zone.
>
> ns6.cloudwebdns.com. 3600 IN A 116.251.209.248
> ns6.cloudwebdns.com. 3600 IN A 192.208.187.242
>
> I suspect something is trying to detect whether there is nxdomain
> redirection occuring by prepend a random string to www.byw.so.
>
>
> Which follows the known Chromium (main Google Chrome component) pattern of
> a few  random 10-character requests for every search query to make such
> detection.
>

I didn't realize Chrome did that -- nice trick!  But in this case it's not
Chrome... it's 6 chars of random ahead of the www.  Perhaps the domain was
"randomly" selected by malware picking a new domain for its C&C every few
days?  Unfortunately it's hard to guess without getting hands on one of the
machines making the queries.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131126/faeda989/attachment.html>


More information about the dns-operations mailing list