[dns-operations] Botnets, botnets everywhere

sthaug at nethelp.no sthaug at nethelp.no
Thu Sep 11 20:26:34 UTC 2014


> Although the attack could be done with a botnet or by reflecting traffic
> off end-user equipment, many of the attacks I have seen involve source
> IP spoofing. I deduce this by noting that a fairly large percentage of
> the traffic comes from blocks of IPs that are not currently routed on
> the open Internet.

What I see is typically a mix of obviously spoofed (non-routed) and
routed addresses. The routed addresses may also be spoofed - but this
is much harder to determine.

E.g. the following snippet from my borders, where N indicates non-routed
source address and the 195.204.57.* hosts are CPEs with open DNS proxies:

  21:55:46.739163 IP 53.48.96.141.51437 > 195.204.57.162.53: 35936+ A? kvudwxmqder.www.dafa888789.com. (48)
  21:55:46.796523 IP 55.163.252.238.27190 > 195.204.57.164.53: 60924+ A? mtkvc.dafa888567.com. (38)
N 21:55:46.850267 IP 102.106.11.104.54844 > 195.204.57.162.53: 26379+ A? nopqefguvwxyz.dafa888567.com. (46)
  21:55:46.863560 IP 64.25.179.88.12684 > 195.204.57.162.53: 22451+ A? qofrmtalrde.www.dafa888789.com. (48)
N 21:55:46.942008 IP 11.217.253.15.4803 > 195.204.57.164.53: 3837+ A? oxhbpbd.dafa888678.com. (40)
  21:55:47.096952 IP 14.75.14.130.10520 > 195.204.57.162.53: 33038+ A? abpqeftuiwxyz.dafa888678.com. (46)
  21:55:47.118716 IP 70.34.188.220.18210 > 195.204.57.176.53: 56252+ A? oxcfidszqpunuf.dafa888567.com. (47)
  21:55:47.161832 IP 41.103.81.228.41650 > 195.204.57.164.53: 58193+ A? dcyhjqf.www.dafa888789.com. (44)
  21:55:47.277108 IP 41.100.100.63.46343 > 195.204.57.162.53: 15972+ A? abcdrfthiwkyz.dafa888567.com. (46)
  21:55:47.343137 IP 53.165.159.154.2278 > 195.204.57.162.53: 39327+ A? ttvpzgrpncilyhb.dafa888567.com. (48)
  21:55:47.369258 IP 68.15.126.166.1222 > 195.204.57.164.53: 42366+ A? hjghdju.dafa888678.com. (40)
N 21:55:47.386443 IP 101.35.159.246.26686 > 195.204.57.162.53: 62879+ A? j.dafa888567.com. (34)
N 21:55:47.388156 IP 21.212.28.24.17856 > 195.204.57.162.53: 5916+ A? v.dafa888567.com. (34)
  21:55:47.415251 IP 18.82.142.16.45236 > 195.204.57.164.53: 3982+ A? bymbjomwk.dafa888678.com. (42)

However - whether the source address is spoofed or not, in the end it
still generates the same attack on the authoritative name servers (in
this case ns1.haodns.in and ns2.haodns.in, as far as I can see).

> I wonder the extent to which the end-user equipment is being blamed when
> it's just routed IPs which are being used.

I don't really see a contradiction between CPEs with open DNS proxies and
DNS queries from routed IPs.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no



More information about the dns-operations mailing list