[dns-operations] what's ongoing with WEBEX and dot queries

Joelle Maslak jmaslak at antelope.net
Sat Jun 8 23:09:23 UTC 2019


Do you respond to these queries with a large response (you might want to
check).  If you do, it may be a forged source packet asking for . so that
your server sends a large "response" to WebEX, amplifying the bandwidth of
the attacker.

On Sat, Jun 8, 2019 at 1:49 PM Mayer Hans <Hans.Mayer at iiasa.ac.at> wrote:

>
> Dear All,
>
> Since 2019 06 05 around 10:00 UTC I see a much higher number of queries to
> our name servers for top level dot (.)
> This happened before too from anywhere but with an amount of queries of 5
> to 10 times per day. Now we are in a range of average 2000 queries per hour
> up to 7200 queries per  hour.
>
>
> Interesting is that only one of our  4 DNS server is used for these
> queries.
>
> All these remote IP’s are coming from WEBEX. A reverse lookup ends with
> something.webex.com
> The geo-locations are limited to 4 destinations
> US, San Jose
> Netherlands
> Repulic of Singapore, Singapore
> China, Beijing
>
> Did anyone else register this obviously misconfigured DNS from Webex ?
>
>
> Kind regards
> Hans
>
>>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190608/879fe74a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2019-06-08 at 21.19.25.png
Type: image/png
Size: 39187 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190608/879fe74a/attachment.png>


More information about the dns-operations mailing list