[dns-operations] Botnets, botnets everywhere

Peter Andreev andreev.peter at gmail.com
Thu Sep 11 12:38:25 UTC 2014


We run a public resolver and a few days ago I noticed a lot of very
weird queries, like the following:

16:11:41.450794 IP > 42580+ A?
swfjwvtkhqx.www.feile8888.com. (47)
16:11:41.450796 IP > 37269+ [1au]
A? izhsccxedub.www.feile666.com. (57)

For the total amount of SLDs of 11, the only common in those queries
are random labels on the left side. One of those SLDs is an
online-shop, another is online-casino, so I concluded that our
resolver is being used to bombard NSes of corresponding SLDs with
I'd like to ask the respected community, how do you detect and protect
against such activity? Will RRL help me if all suspected queries come
with random qname?

Thank you in advance.

Is there any problem Exterminatus cannot solve? I have not found one yet.

More information about the dns-operations mailing list