[dns-operations] Botnets, botnets everywhere
sthaug at nethelp.no
sthaug at nethelp.no
Thu Sep 11 17:53:56 UTC 2014
> Our current thinking (based on evidence from some of our customers, and
> also from Nominum's analysis presented at the Warsaw DNS-OARC workship
> earlier this year) that the majority of these recent query spates are
> intended as an attack on the domain (e.g. feile8888.com) or the
> nameserver hosting it. Once overwhelmed with query traffic, the DNS
> servers cease responding, or only respond sporadically.
Being responsible for the recursive name servers for a large
Norwegian ISP, I see these attacks on a more or less daily basis,
mostly due to CPEs with DNS proxies open towards the Internet.
I am reasonably sure that the attack is on the authoritative name
servers, and not on the domains as such. This conclusion is based
on the following (which is obviously not *proof*):
- Some of the domains have only been registered a few days before an
attack starts.
- There are obvious similarities in the non-random part of many of
these domain names which seems to indicate that they are *generated*,
e.g.
www.6644qq.com
www.6644se.com
www.6655pp.com
www.6655qq.com
www.667788.com
www.6688hh.com
www.6688pp.com
or
dafa888567.com
dafa888678.com
dafa888789.com
dafa888cg.com
dafa888vd.com
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dns-operations
mailing list