[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]
abang at t-ipnet.net
Thu Mar 20 09:35:57 UTC 2014
Interesting document in this context:
Am 08.03.2014 21:21, schrieb sthaug at nethelp.no:
>> - our main issue was that we were being attacked. The attack was hard
>> enough to DOS our servers at times.
>> Open resolvers in our network were utilized to produce large amounts
>> of queries with random subdomains of specific domains. Analyzing a
>> small capture we noticed the following domains, but the list should
>> not be considered complete I guess
>> I haven't cought up with probable discussions on this list about these
>> attacks, I guess we are not the only ones seeing them. Apart from a
>> (D)DOS effect we cannot yet understand another main goal behind them
>> (since they have no amplification effect). If you can provide any
>> pointers or findings for them please share.
> See the NANOG thread starting here:
> An interesting observation made here:
> I don't necessarily agree - as far as I can see the traffic is one-way
> and that seems strange for botnet control traffic.
> In any case - we see quite a bit of these queries. The domains used are
> changing rapidly, but are almost always "nonsense-looking" domains.
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
More information about the dns-operations