[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]

Kostas Zorbadelos kzorba at otenet.gr
Sat Mar 8 20:03:49 UTC 2014


Hello,

an update with the findings so far:

- IPv6 config on the servers was an issue so we removed it and will test
  further later, considering the net.ipv6.route.max_size setting

- our main issue was that we were being attacked. The attack was hard
  enough to DOS our servers at times.
  Open resolvers in our network were utilized to produce large amounts
  of queries with random subdomains of specific domains. Analyzing a
  small capture we noticed the following domains, but the list should
  not be considered complete I guess

  www.jxoyjt.com.cn
  liebiao.81ypf.com
  yuerengu.com.cn
  www.lgsf.net
  www.xxcfsb.com
  lie.zz85.com
  www.9009pk.com
  www.bcbang.com
 
I haven't cought up with probable discussions on this list about these
attacks, I guess we are not the only ones seeing them. Apart from a
(D)DOS effect we cannot yet understand another main goal behind them
(since they have no amplification effect). If you can provide any
pointers or findings for them please share.

Regards,

Kostas



More information about the dns-operations mailing list