[dns-operations] nameservers being attacked
damian at google.com
Tue Nov 26 17:29:02 UTC 2013
On Tue, Nov 26, 2013 at 1:22 AM, Rubens Kuhl <rubensk at nic.br> wrote:
> Em 26/11/2013, à(s) 00:22, Mark Andrews <marka at isc.org> escreveu:
> In message <5293FA31.9030204 at dnsbed.com>, Dnsbed Ops writes:
> My nameservers currently have been meeting the attacks.
> All these queries are against one special domain, from the seemed fake
> And those eat up the bandwidth quickly since I run the nameservers with
> hosting servers.
> Can you help? Thanks in advance.
> The logs actually look like the queries are from recursive servers
> following normal recursion looking at the mixture of flags and that
> they are directed at a official server for the zone.
> ns6.cloudwebdns.com. 3600 IN A 126.96.36.199
> ns6.cloudwebdns.com. 3600 IN A 188.8.131.52
> I suspect something is trying to detect whether there is nxdomain
> redirection occuring by prepend a random string to www.byw.so.
> Which follows the known Chromium (main Google Chrome component) pattern of
> a few random 10-character requests for every search query to make such
I didn't realize Chrome did that -- nice trick! But in this case it's not
Chrome... it's 6 chars of random ahead of the www. Perhaps the domain was
"randomly" selected by malware picking a new domain for its C&C every few
days? Unfortunately it's hard to guess without getting hands on one of the
machines making the queries.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations