[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]
Kostas Zorbadelos
kzorba at otenet.gr
Sat Mar 8 20:03:49 UTC 2014
Hello,
an update with the findings so far:
- IPv6 config on the servers was an issue so we removed it and will test
further later, considering the net.ipv6.route.max_size setting
- our main issue was that we were being attacked. The attack was hard
enough to DOS our servers at times.
Open resolvers in our network were utilized to produce large amounts
of queries with random subdomains of specific domains. Analyzing a
small capture we noticed the following domains, but the list should
not be considered complete I guess
www.jxoyjt.com.cn
liebiao.81ypf.com
yuerengu.com.cn
www.lgsf.net
www.xxcfsb.com
lie.zz85.com
www.9009pk.com
www.bcbang.com
I haven't cought up with probable discussions on this list about these
attacks, I guess we are not the only ones seeing them. Apart from a
(D)DOS effect we cannot yet understand another main goal behind them
(since they have no amplification effect). If you can provide any
pointers or findings for them please share.
Regards,
Kostas
More information about the dns-operations
mailing list