[dns-operations] DNSimple under attack?
ben.han.cn at gmail.com
Fri Dec 12 09:31:18 UTC 2014
We got the following log from ISP recursive name server in Beijing, the QPS for ISP is closed to 80,000 during the attack.
From ISP recursive name server log, we got the following query:
12-Dec-2014 09:42:54.027 client 188.8.131.52 42620: view default: RLSA7H4P.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 184.108.40.206 42620: view default: yvLjEthQ.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 220.127.116.11 42620: view default: fykmxdl8.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 18.104.22.168 42620: view default: h5cCXilV.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 22.214.171.124 42620: view default: gqf0gVnd.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
There is one quite strange behavior of name server for arkhamnetwork.org, whose ip is 126.96.36.199
dig @188.8.131.52 xxx.arkhamnetwork.org
;; QUESTION SECTION:
;xxx.arkhamnetwork.org. IN A
;; ANSWER SECTION:
xxx.arkhamnetwork.org. 300 IN CNAME arkhamnetwork.org.
arkhamnetwork.org. 300 IN CNAME ovh.arkhamnetwork.org.
ovh.arkhamnetwork.org. 300 IN A 184.108.40.206
ovh.arkhamnetwork.org. 300 IN A 220.127.116.11
ovh.arkhamnetwork.org. 300 IN A 18.104.22.168
ovh.arkhamnetwork.org. 300 IN A 22.214.171.124
ovh.arkhamnetwork.org. 300 IN A 126.96.36.199
ovh.arkhamnetwork.org. 300 IN A 188.8.131.52
It looks like there is wildcard catch for meaningless domain, but when dig any
domain name whose first label length equals to 8 just like the attack
traffic, you get:
dig @184.108.40.206 xxxxxxxx.arkhamnetwork.org
; <<>> DiG 9.8.3-P1 <<>> @220.127.116.11 xxxxxxxx.arkhamnetwork.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
The name server times out, it cause the recursive name server returns SERVFAIL,
and used up the resource of recursive server. Does anyone know why?
> Would that happen to be arkhamnetwork.com or arkhamnetwork.org?
> On 12/11/14, 7:50 PM, "Dnsbed (Jeff)" <support at dnsbed.com> wrote:
>> DNSMadeEasy, DNSimple, 1AND1 were under attacks these days.
>> I heard DNSMadeEasy and DNSimple were attacked due to the same domain name hosted there.
>> Livingood, Jason wrote:
>>> Seems like a lot of DNS abuse happening this week. Surely there’s a wider story someplace?
>> Best Regards,
>> DNSbed Hosting
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations