[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Jeroen Massar jeroen at massar.ch
Wed Dec 31 07:24:18 UTC 2014 

On 2014-12-30 20:54, David C Lawrence wrote:
> Paul Vixie writes:
>> i think you mean "we have heard no reports of incidents caused by stale
>> data"?
> 
> I meant it as I said it, but appreciate the distinction you are trying
> to make.
> 
> Many organizations have a formal distinction of what an incident is.
> If it wasn't reported (for expansive values of "reported"), it wasn't
> an incident.

I've attempted reporting the below to Akamai through various ways,
unfortunately you guys seem very busy fixing other things
(eg mysterious IPv6 breakage which has been fixed by now fortunately)

So maybe as it is the end of the year one has time to peek at this now?


A host of mine is receiving a lot of requests towards
applicast.ga.sony.net, eg, every minute when that TV Is on:

85.218.3.152 - - [30/Dec/2014:22:32:59 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:33:29 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:34:00 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:34:30 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:35:00 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"

and so on and on.... are these not because of stale DNS data?

Indeed, at one point Akamai was using the prefix that that server is in
for a akamai cluster it seems. (pDNS shows that that used to be true)

See below for a whole long list of nice stale DNS entries.
Hence, it definitely does happen.

If this is happening in the resolver on the client, at something like
OpenDNS that does this or some other location is of course quite
unknown. But it does demonstrate that it happens.

A few others that have been seen that way, maybe not all attributable to
Akamai, but most of them are...

Greets,
 Jeroen

--

$ cat /var/log/nginx/error.log|grep -v 85.218.3.152 |grep host: |cut -f6
-d\" |sort -n | uniq -c  | sort -nr
     22 cdn.watchguard.com
     19 i.dailymail.co.uk
     19 applicast.ga.sony.net
     17 www.independent.co.uk
     10 www.bing.com
     10 s3-ak.buzzfeed.com
      7 www.popularmechanics.com
      7 images.medicinenet.com
      6 css01.lavanguardia.com
      4 www.washingtonpost.com
      4 www.srf.ch
      4 p.ebaystatic.com
      4 edm.westelm.com
      4 cdn.els-cdn.com
      4 aka-cdn-ns.adtech.de
      3 www.bloomberg.com
      3 s.imwx.com
      3 s.c.lnkd.licdn.com
      3 media.evans.co.uk
      3 images.apple.com
      3 i.huffpost.com
      3 f.blick.ch
      3 ch.voyages-sncf.com
      3 cdn1.spiegel.de
      3 cdn.farecompare.com
      3 brightcove01.brightcove.com
      2 www.reuters.com
      2 www.nature.com
      2 www.meteosuisse.admin.ch
      2 www.ikea.com
      2 www.fda.gov
      2 static01.lavanguardia.com
      2 slimages.macys.com
      2 s3-ak.buzzfed.com
      2 m.c.lnkd.licdn.com
      2 img.ed4.net
      2 images2.corriereobjects.it
      2 images.zap2it.com
      2 images.intellitxt.com
      2 i.mol.im
      2 emp.bbci.co.uk
      2 cdn3.spiegel.de
      2 cdn.idealo.com
      2 cache.vzw.com
      2 afterellen.mtvnimages.com
      1 www.sf.tv
      1 www.roche.com
      1 www.msftncsi.com
      1 www.meteoschweiz.admin.ch
      1 www.lequipe.fr
      1 www.intermediair.nl
      1 www.dow.com
      1 vortex.accuweather.com
      1 video.spiegel.de
      1 update.nai.com
      1 travel.tile.appex.bing.com
      1 tap2-cdn.rubiconproject.com
      1 static.guim.co.uk
      1 static.afcdn.com
      1 spot.static.meetic.com
      1 s.uicdn.com
      1 q.ebaystatic.com
      1 platformdl.adobe.com
      1 photos2.demandstudios.com
      1 netstorage.lequipe.fr
      1 js.washingtonpost.com
      1 jdn.monster.com
      1 javadl-esd.sun.com
      1 imworld.aufeminin.com
      1 img2.meetupstatic.com
      1 img01.lavanguardia.com
      1 img.constantcontact.com
      1 images2.gazzettaobjects.it
      1 images2.ads.rcsobjects.it
      1 images.marmitoncdn.org
      1 icompass.insightexpressai.com
      1 i.dell.com
      1 i.computer-bild.de
      1 gsp1.apple.com
      1 forum.chip.de
      1 f.mol.im
      1 enewsletters.ziffdavisinternet.com
      1 d8.zedo.com
      1 d3.zedo.com
      1 cdn2.spiegel.de
      1 cdn.gotraffic.net
      1 au.download.windowsupdate.com
      1 apnwidgets.ask.com
      1 ak.imgfarm.com
      1 a465.g.akamai.net
      1 a.vimeocdn.com
      1 a.adroll.com
      1 213.144.131.58

Source IPs:
$ cat /var/log/nginx/error.log|grep -v 85.218.3.152 |grep host: | cut
-f6 -d: | cut -f1 -d, | sort -n | uniq -c
      1  46.31.146.46
      5  75.98.84.57
      9  77.234.172.90
      1  80.241.209.165
     19  85.218.63.34
      3  98.126.135.138
      1  121.127.241.197
      8  180.186.121.254
      1  195.49.86.36
      3  204.101.161.160
      6  207.102.138.3
     22  212.55.195.141
    199  213.189.141.50

More information about the dns-operations mailing list