[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]

Dobbins, Roland rdobbins at arbor.net
Sat Mar 8 21:23:53 UTC 2014

On Mar 9, 2014, at 3:21 AM, sthaug at nethelp.no wrote:

> I don't necessarily agree - as far as I can see the traffic is one-way
> and that seems strange for botnet control traffic.

I think there was a conflation of diagnoses, here.  We're seeing what's clearly attack traffic of this type reflected through broken CPE and into recursive servers worldwide, and then onwards to the authoritative servers which are the intended targets of the attacks.

Some traffic similar to this in nature is in fact botnet C&C traffic encapsulated in DNS, but what's being reported appears to be attack traffic, and significant collateral impact on recursive infrastructure is taking place.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list