[dns-operations] Questions about 13-character pseudo-random query storms

Matthias Seitz matthias.seitz at switch.ch
Wed Oct 10 11:28:06 UTC 2018 

Hi Jacob,

DGA domains are also used in ad networks / cryptojacking, see

http://blog.netlab.360.com/who-is-stealing-my-power-iii-an-adnetwork-company-case-study-en/

For the current (hourly generated) DGA list in the above article, see
https://github.com/Yhonay/antipopads/blob/master/popads.txt

Cheers,
Matthias

On 09.10.18 22:50, Jake Zack wrote:
> Hey all,
> 
>  
> 
>                 CIRA is seeing a spike in 13-character pseudo-random
> queries for two of the ~40 TLD’s we host on our anycast platform.
> 
>  
> 
> 1)      The goal likely isn’t of a DDoS nature as the volumes are too
> small and steady.
> 
>  
> 
>                                 We’re talking < 15,000 qps total across
> two clouds with nodes in a dozen+ sites.
> 
>  
> 
> 2)      This has been going on for at least two weeks.
> 
>  
> 
>                                 This didn’t hit the threshold for
> alerting, so it largely went unnoticed until our Hadoop team doing
> analytics and monthly reports pointed it out.
> 
>  
> 
> 3)      The traffic appears to be mostly sourced from Europe.
> 
>  
> 
>                                 Our sites in Europe in each of our
> clouds are taking about 90% of these DNS queries.
> 
>                                 A check of the IP’s hitting our servers
> in Europe show European ownership for all of the heavy-hitters.
> 
>  
> 
> 4)      The queries do not appear to be spoofed.
> 
>  
> 
>                                 We see the same “random” query string
> from 2 or 3 IP’s in the same subnet in quick succession, from which we
> see non-pseudorandom queries, which would indicate standard use of a
> legit set of recursive DNS servers.  Vast majority are not open resolvers.
> 
>  
> 
> 5)      The same “random” string appears occasionally in the query sets
> for each of the TLD’s in question.
> 
>  
> 
>                                 Example:  ff5ae6d7e1981.<TLD>,
> 788c439b7adf3.<TLD>
> 
>  
> 
>                 This very much feels like your standard malware using
> DNS domain generation algorithms for C&C.  Am I missing anything, or is
> my deduction likely correct?
> 
>  
> 
>                 Anyone else seeing activity like this sourced almost
> exclusively from Europe in it’s geographic distribution?
> 
>  
> 
>                 I’m guessing it’s not worth contacting the recursive
> server operators at this non-impacting volume, but I’d like to rule out
> any other motivations besides malware C&C.
> 
>  
> 
> Thanks all,
> 
>  
> 
> -Jacob Zack
> 
> DNS Architect – CIRA (.CA TLD)
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list