[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]

sthaug at nethelp.no sthaug at nethelp.no
Sat Mar 8 20:21:19 UTC 2014

> - our main issue was that we were being attacked. The attack was hard
>   enough to DOS our servers at times.
>   Open resolvers in our network were utilized to produce large amounts
>   of queries with random subdomains of specific domains. Analyzing a
>   small capture we noticed the following domains, but the list should
>   not be considered complete I guess
>   www.jxoyjt.com.cn
>   liebiao.81ypf.com
>   yuerengu.com.cn
>   www.lgsf.net
>   www.xxcfsb.com
>   lie.zz85.com
>   www.9009pk.com
>   www.bcbang.com
> I haven't cought up with probable discussions on this list about these
> attacks, I guess we are not the only ones seeing them. Apart from a
> (D)DOS effect we cannot yet understand another main goal behind them
> (since they have no amplification effect). If you can provide any
> pointers or findings for them please share.

See the NANOG thread starting here:


An interesting observation made here:


I don't necessarily agree - as far as I can see the traffic is one-way
and that seems strange for botnet control traffic.

In any case - we see quite a bit of these queries. The domains used are
changing rapidly, but are almost always "nonsense-looking" domains.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the dns-operations mailing list