[dns-operations] DNSimple under attack?

gmail ben.han.cn at gmail.com
Fri Dec 12 09:31:18 UTC 2014 

We got the following log from ISP recursive name server in Beijing, the QPS for ISP is closed to 80,000 during the attack.
From ISP recursive name server log, we got the following query:
12-Dec-2014 09:42:54.027 client 60.220.197.64 42620: view default: RLSA7H4P.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 60.220.197.64 42620: view default: yvLjEthQ.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 60.220.197.64 42620: view default: fykmxdl8.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 60.220.197.64 42620: view default: h5cCXilV.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
12-Dec-2014 09:42:54.027 client 60.220.197.64 42620: view default: gqf0gVnd.arkhamnetwork.org IN A SERVFAIL + NS NE NT ND NC
...

There is one quite strange behavior of name server for arkhamnetwork.org, whose ip is 173.245.58.170

dig @173.245.58.170 xxx.arkhamnetwork.org

;; QUESTION SECTION:
;xxx.arkhamnetwork.org.     IN  A

;; ANSWER SECTION:
xxx.arkhamnetwork.org.  300 IN  CNAME   arkhamnetwork.org.
arkhamnetwork.org.  300 IN  CNAME   ovh.arkhamnetwork.org.
ovh.arkhamnetwork.org.  300 IN  A   167.114.43.80
ovh.arkhamnetwork.org.  300 IN  A   167.114.43.96
ovh.arkhamnetwork.org.  300 IN  A   198.50.196.32
ovh.arkhamnetwork.org.  300 IN  A   167.114.25.128
ovh.arkhamnetwork.org.  300 IN  A   167.114.57.208
ovh.arkhamnetwork.org.  300 IN  A   156.154.164.59

It looks like there is wildcard catch for meaningless domain, but when dig any 
domain name whose first label length equals to 8 just like the attack 
traffic, you get: 

dig @173.245.58.170 xxxxxxxx.arkhamnetwork.org 
; <<>> DiG 9.8.3-P1 <<>> @173.245.58.170 xxxxxxxx.arkhamnetwork.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached 

The name server times out, it cause the recursive name server returns SERVFAIL, 
and used up the resource of recursive server. Does anyone know why?

feng 

> Would that happen to be arkhamnetwork.com or arkhamnetwork.org?
> 
> 
> On 12/11/14, 7:50 PM, "Dnsbed (Jeff)" <support at dnsbed.com> wrote:
> 
>> DNSMadeEasy, DNSimple, 1AND1 were under attacks these days.
>> I heard DNSMadeEasy and DNSimple were attacked due to the same domain name hosted there.
>> 
>> Livingood, Jason wrote:
>>> 
>>> Seems like a lot of DNS abuse happening this week. Surely there’s a wider story someplace?
>>> 
>>> Jason
>> 
>> -- 
>> Best Regards,
>> DNSbed Hosting
>> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141212/45c04cfe/attachment.html>

More information about the dns-operations mailing list