[dns-operations] Botnets, botnets everywhere

Peter Andreev andreev.peter at gmail.com
Thu Sep 11 12:38:25 UTC 2014


Hello,

We run a public resolver and a few days ago I noticed a lot of very
weird queries, like the following:

16:11:41.450794 IP 217.195.66.253.37426 > 62.76.76.62.53: 42580+ A?
swfjwvtkhqx.www.feile8888.com. (47)
16:11:41.450796 IP 91.209.124.75.50584 > 62.76.76.62.53: 37269+ [1au]
A? izhsccxedub.www.feile666.com. (57)

For the total amount of SLDs of 11, the only common in those queries
are random labels on the left side. One of those SLDs is an
online-shop, another is online-casino, so I concluded that our
resolver is being used to bombard NSes of corresponding SLDs with
queries.
I'd like to ask the respected community, how do you detect and protect
against such activity? Will RRL help me if all suspected queries come
with random qname?

Thank you in advance.

-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.



More information about the dns-operations mailing list