[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]
sthaug at nethelp.no
sthaug at nethelp.no
Sat Mar 8 20:21:19 UTC 2014
> - our main issue was that we were being attacked. The attack was hard
> enough to DOS our servers at times.
> Open resolvers in our network were utilized to produce large amounts
> of queries with random subdomains of specific domains. Analyzing a
> small capture we noticed the following domains, but the list should
> not be considered complete I guess
>
> www.jxoyjt.com.cn
> liebiao.81ypf.com
> yuerengu.com.cn
> www.lgsf.net
> www.xxcfsb.com
> lie.zz85.com
> www.9009pk.com
> www.bcbang.com
>
> I haven't cought up with probable discussions on this list about these
> attacks, I guess we are not the only ones seeing them. Apart from a
> (D)DOS effect we cannot yet understand another main goal behind them
> (since they have no amplification effect). If you can provide any
> pointers or findings for them please share.
See the NANOG thread starting here:
http://mailman.nanog.org/pipermail/nanog/2014-February/064530.html
An interesting observation made here:
http://mailman.nanog.org/pipermail/nanog/2014-February/064568.html
I don't necessarily agree - as far as I can see the traffic is one-way
and that seems strange for botnet control traffic.
In any case - we see quite a bit of these queries. The domains used are
changing rapidly, but are almost always "nonsense-looking" domains.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dns-operations
mailing list