[dns-operations] Sporadic but noticable SERVFAILs [attack with random subdomains of specific domains]

[abang]

Interesting document in this context:

http://people.cs.vt.edu/danfeng/papers/journal-DNS-CC.pdf


Am 08.03.2014 21:21, schrieb sthaug at nethelp.no:
>> - our main issue was that we were being attacked. The attack was hard
>>    enough to DOS our servers at times.
>>    Open resolvers in our network were utilized to produce large amounts
>>    of queries with random subdomains of specific domains. Analyzing a
>>    small capture we noticed the following domains, but the list should
>>    not be considered complete I guess
>>
>>    www.jxoyjt.com.cn
>>    liebiao.81ypf.com
>>    yuerengu.com.cn
>>    www.lgsf.net
>>    www.xxcfsb.com
>>    lie.zz85.com
>>    www.9009pk.com
>>    www.bcbang.com
>>   
>> I haven't cought up with probable discussions on this list about these
>> attacks, I guess we are not the only ones seeing them. Apart from a
>> (D)DOS effect we cannot yet understand another main goal behind them
>> (since they have no amplification effect). If you can provide any
>> pointers or findings for them please share.
> See the NANOG thread starting here:
>
>      http://mailman.nanog.org/pipermail/nanog/2014-February/064530.html
>
> An interesting observation made here:
>
>     http://mailman.nanog.org/pipermail/nanog/2014-February/064568.html
>
> I don't necessarily agree - as far as I can see the traffic is one-way
> and that seems strange for botnet control traffic.
>
> In any case - we see quite a bit of these queries. The domains used are
> changing rapidly, but are almost always "nonsense-looking" domains.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs