[dns-operations] 答复: Questions about 13-character pseudo-random query storms
张在峰
zhangzaifeng at 360.cn
Thu Oct 11 02:44:38 UTC 2018
Hi Matthias ,
I'm the author of blog which you mentioned :-)
We are maintaining a DGA database (https://data.netlab.360.com/dga/)
As expected, the random domain name mentioned by Jacob does not appear in our database.
So, @Jacob, Could you provide more details about the pseudo-random domains? Such as TLD and more random domain names.
Maybe we can find more clues through our Passivedns database (https://Passivedns.cn)
Cheers
--------
Zhang Zaifeng
Network Security Research Lab, QIHOO 360
Email: zhangzaifeng at 360.cn
Phone: +86 13520348533
-----邮件原件-----
发件人: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] 代表 Matthias Seitz
发送时间: 2018年10月10日 19:28
收件人: dns-operations at lists.dns-oarc.net
主题: Re: [dns-operations] Questions about 13-character pseudo-random query storms
Hi Jacob,
DGA domains are also used in ad networks / cryptojacking, see
http://blog.netlab.360.com/who-is-stealing-my-power-iii-an-adnetwork-company-case-study-en/
For the current (hourly generated) DGA list in the above article, see
https://github.com/Yhonay/antipopads/blob/master/popads.txt
Cheers,
Matthias
On 09.10.18 22:50, Jake Zack wrote:
> Hey all,
>
>
>
> CIRA is seeing a spike in 13-character pseudo-random
> queries for two of the ~40 TLD’s we host on our anycast platform.
>
>
>
> 1) The goal likely isn’t of a DDoS nature as the volumes are too
> small and steady.
>
>
>
> We’re talking < 15,000 qps total across
> two clouds with nodes in a dozen+ sites.
>
>
>
> 2) This has been going on for at least two weeks.
>
>
>
> This didn’t hit the threshold for
> alerting, so it largely went unnoticed until our Hadoop team doing
> analytics and monthly reports pointed it out.
>
>
>
> 3) The traffic appears to be mostly sourced from Europe.
>
>
>
> Our sites in Europe in each of our
> clouds are taking about 90% of these DNS queries.
>
> A check of the IP’s hitting our servers
> in Europe show European ownership for all of the heavy-hitters.
>
>
>
> 4) The queries do not appear to be spoofed.
>
>
>
> We see the same “random” query string
> from 2 or 3 IP’s in the same subnet in quick succession, from which we
> see non-pseudorandom queries, which would indicate standard use of a
> legit set of recursive DNS servers. Vast majority are not open resolvers.
>
>
>
> 5) The same “random” string appears occasionally in the query sets
> for each of the TLD’s in question.
>
>
>
> Example: ff5ae6d7e1981.<TLD>,
> 788c439b7adf3.<TLD>
>
>
>
> This very much feels like your standard malware using
> DNS domain generation algorithms for C&C. Am I missing anything, or is
> my deduction likely correct?
>
>
>
> Anyone else seeing activity like this sourced almost
> exclusively from Europe in it’s geographic distribution?
>
>
>
> I’m guessing it’s not worth contacting the recursive
> server operators at this non-impacting volume, but I’d like to rule out
> any other motivations besides malware C&C.
>
>
>
> Thanks all,
>
>
>
> -Jacob Zack
>
> DNS Architect – CIRA (.CA TLD)
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list