[dns-operations] Questions about 13-character pseudo-random query storms
Jake Zack
jake.zack at cira.ca
Tue Oct 9 20:50:11 UTC 2018
Hey all,
CIRA is seeing a spike in 13-character pseudo-random queries for two of the ~40 TLD's we host on our anycast platform.
1) The goal likely isn't of a DDoS nature as the volumes are too small and steady.
We're talking < 15,000 qps total across two clouds with nodes in a dozen+ sites.
2) This has been going on for at least two weeks.
This didn't hit the threshold for alerting, so it largely went unnoticed until our Hadoop team doing analytics and monthly reports pointed it out.
3) The traffic appears to be mostly sourced from Europe.
Our sites in Europe in each of our clouds are taking about 90% of these DNS queries.
A check of the IP's hitting our servers in Europe show European ownership for all of the heavy-hitters.
4) The queries do not appear to be spoofed.
We see the same "random" query string from 2 or 3 IP's in the same subnet in quick succession, from which we see non-pseudorandom queries, which would indicate standard use of a legit set of recursive DNS servers. Vast majority are not open resolvers.
5) The same "random" string appears occasionally in the query sets for each of the TLD's in question.
Example: ff5ae6d7e1981.<TLD>, 788c439b7adf3.<TLD>
This very much feels like your standard malware using DNS domain generation algorithms for C&C. Am I missing anything, or is my deduction likely correct?
Anyone else seeing activity like this sourced almost exclusively from Europe in it's geographic distribution?
I'm guessing it's not worth contacting the recursive server operators at this non-impacting volume, but I'd like to rule out any other motivations besides malware C&C.
Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181009/830d8bb0/attachment.html>
More information about the dns-operations
mailing list