[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency
Jeroen Massar
jeroen at massar.ch
Wed Dec 31 07:24:18 UTC 2014
On 2014-12-30 20:54, David C Lawrence wrote:
> Paul Vixie writes:
>> i think you mean "we have heard no reports of incidents caused by stale
>> data"?
>
> I meant it as I said it, but appreciate the distinction you are trying
> to make.
>
> Many organizations have a formal distinction of what an incident is.
> If it wasn't reported (for expansive values of "reported"), it wasn't
> an incident.
I've attempted reporting the below to Akamai through various ways,
unfortunately you guys seem very busy fixing other things
(eg mysterious IPv6 breakage which has been fixed by now fortunately)
So maybe as it is the end of the year one has time to peek at this now?
A host of mine is receiving a lot of requests towards
applicast.ga.sony.net, eg, every minute when that TV Is on:
85.218.3.152 - - [30/Dec/2014:22:32:59 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:33:29 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:34:00 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:34:30 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
85.218.3.152 - - [30/Dec/2014:22:35:00 +0000] "GET /WsIndexes/AZ1_EU.xml
HTTP/1.1" 404 162 "-" "WidgetSystem/2.0"
and so on and on.... are these not because of stale DNS data?
Indeed, at one point Akamai was using the prefix that that server is in
for a akamai cluster it seems. (pDNS shows that that used to be true)
See below for a whole long list of nice stale DNS entries.
Hence, it definitely does happen.
If this is happening in the resolver on the client, at something like
OpenDNS that does this or some other location is of course quite
unknown. But it does demonstrate that it happens.
A few others that have been seen that way, maybe not all attributable to
Akamai, but most of them are...
Greets,
Jeroen
--
$ cat /var/log/nginx/error.log|grep -v 85.218.3.152 |grep host: |cut -f6
-d\" |sort -n | uniq -c | sort -nr
22 cdn.watchguard.com
19 i.dailymail.co.uk
19 applicast.ga.sony.net
17 www.independent.co.uk
10 www.bing.com
10 s3-ak.buzzfeed.com
7 www.popularmechanics.com
7 images.medicinenet.com
6 css01.lavanguardia.com
4 www.washingtonpost.com
4 www.srf.ch
4 p.ebaystatic.com
4 edm.westelm.com
4 cdn.els-cdn.com
4 aka-cdn-ns.adtech.de
3 www.bloomberg.com
3 s.imwx.com
3 s.c.lnkd.licdn.com
3 media.evans.co.uk
3 images.apple.com
3 i.huffpost.com
3 f.blick.ch
3 ch.voyages-sncf.com
3 cdn1.spiegel.de
3 cdn.farecompare.com
3 brightcove01.brightcove.com
2 www.reuters.com
2 www.nature.com
2 www.meteosuisse.admin.ch
2 www.ikea.com
2 www.fda.gov
2 static01.lavanguardia.com
2 slimages.macys.com
2 s3-ak.buzzfed.com
2 m.c.lnkd.licdn.com
2 img.ed4.net
2 images2.corriereobjects.it
2 images.zap2it.com
2 images.intellitxt.com
2 i.mol.im
2 emp.bbci.co.uk
2 cdn3.spiegel.de
2 cdn.idealo.com
2 cache.vzw.com
2 afterellen.mtvnimages.com
1 www.sf.tv
1 www.roche.com
1 www.msftncsi.com
1 www.meteoschweiz.admin.ch
1 www.lequipe.fr
1 www.intermediair.nl
1 www.dow.com
1 vortex.accuweather.com
1 video.spiegel.de
1 update.nai.com
1 travel.tile.appex.bing.com
1 tap2-cdn.rubiconproject.com
1 static.guim.co.uk
1 static.afcdn.com
1 spot.static.meetic.com
1 s.uicdn.com
1 q.ebaystatic.com
1 platformdl.adobe.com
1 photos2.demandstudios.com
1 netstorage.lequipe.fr
1 js.washingtonpost.com
1 jdn.monster.com
1 javadl-esd.sun.com
1 imworld.aufeminin.com
1 img2.meetupstatic.com
1 img01.lavanguardia.com
1 img.constantcontact.com
1 images2.gazzettaobjects.it
1 images2.ads.rcsobjects.it
1 images.marmitoncdn.org
1 icompass.insightexpressai.com
1 i.dell.com
1 i.computer-bild.de
1 gsp1.apple.com
1 forum.chip.de
1 f.mol.im
1 enewsletters.ziffdavisinternet.com
1 d8.zedo.com
1 d3.zedo.com
1 cdn2.spiegel.de
1 cdn.gotraffic.net
1 au.download.windowsupdate.com
1 apnwidgets.ask.com
1 ak.imgfarm.com
1 a465.g.akamai.net
1 a.vimeocdn.com
1 a.adroll.com
1 213.144.131.58
Source IPs:
$ cat /var/log/nginx/error.log|grep -v 85.218.3.152 |grep host: | cut
-f6 -d: | cut -f1 -d, | sort -n | uniq -c
1 46.31.146.46
5 75.98.84.57
9 77.234.172.90
1 80.241.209.165
19 85.218.63.34
3 98.126.135.138
1 121.127.241.197
8 180.186.121.254
1 195.49.86.36
3 204.101.161.160
6 207.102.138.3
22 212.55.195.141
199 213.189.141.50
More information about the dns-operations
mailing list