Interesting increase in query volumes
Juselius Juhani
juhani.juselius at traficom.fi
Thu Nov 25 07:54:10 UTC 2021
Hello everybody
.FI registry met with a new phenomenon last September, when query volumes to our .FI root servers grew dramatically 100%-300%.
So far we have learned:
- Increase in number of queries can be seen in all globally distributed .FI root nameservers
- We estimate the total increase is about 1-2 billion extra queries per day
- Queries concern mostly (if not all) randomly generated 5 character .fi domains which do not exist
- Inbound queries are UDP queries but outbound replies are TCP because of the DNSSEC signature
- Source addresses of queries are within big clouds, like for example Microsoft Azure as the biggest single source
We have been in touch with Microsoft abuse, but they didn't help us much. They confirmed that queries are really from their networks, but they were unwilling to reveal who is the source of those queries or what is the service they are related to.
We also have been contacted by two internet users from different continents that report us about significant amount of spam that are being send (address of the sender) from - you might guess - from random 5 character .fi domains. Headers of those spam messages that we have received from those two internet users have much in common.
So we are asking your opinions:
- Is this about spam?
- Or does the TCP return packet from our nameservers indicate that we are being used as an amplifier for a DoS?
- How could we get more information regarding the source of the traffic
- Is there anything we could do for the traffic
Thanks in advance,
Juhani Juselius
.FI registry
Finnish Transport and Communications Agency Traficom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TCPdump - dest removed.png
Type: image/png
Size: 633530 bytes
Desc: TCPdump - dest removed.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A.FI year.PNG
Type: image/png
Size: 301179 bytes
Desc: A.FI year.PNG
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: screenshot-1.png
Type: image/png
Size: 55884 bytes
Desc: screenshot-1.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment-0002.png>
-------------- next part --------------
HEADER:
Received: from TYWP286MB2124.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:173::12)
by OS3P286MB2011.JPNP286.PROD.OUTLOOK.COM with HTTPS; Wed, 3 Nov 2021
10:53:16 +0000
Received: from AM6P191CA0059.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:7f::36)
by TYWP286MB2124.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:173::12) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Wed, 3 Nov
2021 10:53:14 +0000
Received: from AM6EUR05FT048.eop-eur05.prod.protection.outlook.com
(2603:10a6:209:7f:cafe::63) by AM6P191CA0059.outlook.office365.com
(2603:10a6:209:7f::36) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15 via Frontend
Transport; Wed, 3 Nov 2021 10:53:13 +0000
Authentication-Results: spf=none (sender IP is 40.84.236.227)
smtp.mailfrom=Omx5w.fi; live.com.au; dkim=none (message not signed)
header.d=none;live.com.au; dmarc=none action=none
header.from=f6RXP.fi;compauth=fail reason=001
Received-SPF: None (protection.outlook.com: Omx5w.fi does not designate
permitted sender hosts)
Received: from awf231.merrell.pl (40.84.236.227) by
AM6EUR05FT048.mail.protection.outlook.com (10.233.241.223) with Microsoft
SMTP Server id 15.20.4669.10 via Frontend Transport; Wed, 3 Nov 2021 10:53:12
+0000
X-IncomingTopHeaderMarker:
OriginalChecksum:AB786AAE28E1806D2B81B5AFA26664F06267A531880726FBDB725453A6834183;UpperCasedChecksum:ED043C1E1BF2029D3B11935489E9AD7A5AF5C967BABABA12C3DA6FC2FA125FB2;SizeAsReceived:369;Count:11
From: Lowes✔ï¸<f6RXP at f6RXP.fi>
Subject: Attn: Your Monthly Lowes Voucher Statement Has Arrived #7112118060✔ï¸
To: <"michaellund at live.com.au">
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"
Date: Tue, 02 Nov 2021 13:19:28 +0000
drop_meta: 36317|93355
X-IncomingHeaderCount: 11
Message-ID:
<54499e56-0675-4fc9-ad7b-3682bce41ade at AM6EUR05FT048.eop-eur05.prod.protection.outlook.com>
Return-Path: Omx5w at Omx5w.fi
X-MS-Exchange-Organization-ExpirationStartTime: 03 Nov 2021 10:53:12.3081
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
4eb408ed-ee76-44f7-a2b2-08d99eb82183
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource:
AM6EUR05FT048.eop-eur05.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 11/3/2021 9:11:34 AM
X-MS-Office365-Filtering-Correlation-Id: 4eb408ed-ee76-44f7-a2b2-08d99eb82183
X-MS-TrafficTypeDiagnostic: TYWP286MB2124:
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 40.84.236.227
X-SID-PRA: F6RXP at F6RXP.FI
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 5
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2021 10:53:12.1912
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4eb408ed-ee76-44f7-a2b2-08d99eb82183
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
AM6EUR05FT048.eop-eur05.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYWP286MB2124
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.9326302
X-MS-Exchange-Processed-By-BccFoldering: 15.20.4669.011
X-Message-Flag: Flag for follow up
Importance: high
X-Priority: 1
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000284)(90000117)(90005022)(91005020)(91035115)(5061607266)(5061608174)(9050020)(9100337)(4900116)(2008001134)(2008000189)(2008010094)(2008120379)(2008019284)(2008020189)(2008070189)(2008130189)(2008160189)(2008021020)(2021020060)(98390106)(58390106)(8390246)(8377080)(8386120)(8376100)(8403086)(338374011)(338373011)(4910005)(9610002)(9560004)(9320001)(9250002)(4920091)(6394003)(4960004)(4950132)(4990091)(9140004);RF:JunkEmail;
X-Message-Info:
qoGN4b5S4yrmAeNVLAMFDslnOcoUsFCaH3ZBO/myiGJanS2jv0Ihc4pggiWHZThIQAT1chkGeO9VA/gvLWdnLOjbgFqST0ULnqV++r4tJMDM2Ixq1Gk2hanMDfGDBPREOA2MYvC3wXP1iN28uq1w5+adEpClQzU96Y9a4H6nTd3SPAn34apIjGUJ3t5oN/VNgvilys6EfE+xS8vC5ghb3A==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?R0FCR1ozbkxvYUd2cnFGYmxUL0JYYSt6TWhISDBqQWltRFVsVHFVTXZpYXl1?=
=?utf-8?B?b3kxVzdDQ05KSllhTGNnTzdLa2lJOFMvcnl6emVscGc4UjVKRGtBekRhY0xW?=
=?utf-8?B?ZlVJRW02K1VoWnh1VWtmVnRMTVVTdVZvekRwOUVyQ0U0UjBkZGpuZmNobUd0?=
=?utf-8?B?MUt2Ym5Gb2xHYVNnWGIwelNtSlNjS29EVnlqQjJJbm56d3lIV2ZPdk1kVzVp?=
=?utf-8?B?WHZGV3drOHBzOVlVdnVvTlAybjhxTE1KZXN6cHBkYmRGb1BSL1dyRDhCdS9Q?=
=?utf-8?B?aFFYRzNhdWpDVXFsK0hic1Bab2VVTmZkQnlyZndaNHhJeDlsVDNjcEd2MHpn?=
=?utf-8?B?MnloejdSYkYyK3BYeTFQcE80Sld5eEVpZ0FKZ3hKTnRiQTJkTG5yVEk1d3hV?=
=?utf-8?B?OVFmKzUxcGl4WUQzdCtJM3ZjakhFSzhPcVV2UXhiSW9NaUlkZmJ6SFV0YUJB?=
=?utf-8?B?QWZjenR0dkduVTBOaWZBbHN2YytjREVXV3VkUDNHQTFKNFpKUUdlNjdlZ1ZQ?=
=?utf-8?B?SGVTdENxTDRHVDZOdFY2ZU0zVVdDbExnYWFQUkU1NjRRRk11TldJZ1Nmdi9W?=
=?utf-8?B?VldKUCtsQXREKzlUTG1td2JHaE1LM2F0OFE0THMrakJMNDQ3VVVnZ3UvOUly?=
=?utf-8?B?N2VnbGc4VENIZ1dJMEZXYkFmR2oyRnF4MG1kMHhzWEZNOHdHQzZaZGRsTmtj?=
=?utf-8?B?aHhTWXBCbDd3b29EakFyM1d5VUZSQktWRytwd1JrOTBpRHdhYmEyNGF3TXp6?=
=?utf-8?B?WnlPQWJaQ2ZYUGJtU245c2x4TjRMN1F6KzArZkRCazVFdWpTOXdRdTcxSHJi?=
=?utf-8?B?dXlDTTE2K3p0V2hZMG1wZm5YQkNMYXVhNzh3Ym13d1dmaEZYa0UwMWFMNmtB?=
=?utf-8?B?SFl1MzhQN0tGT1VYUUF1TGI4RW9UREoyNjZsNUxldGxmRWFQTTM5RDRQTFda?=
=?utf-8?B?ZmQxbS9HYjRBUksxQ3JPMXlLbzVieHNmMkpRNzRFT241R3VoUTAzL0l0MWZq?=
=?utf-8?B?WDlwbENEdm9LVFUzaEJoc0l2MVRFZUlBM3JJNXlKcG5iWGdGdmFxUVZIUVVs?=
=?utf-8?B?T0VQeFBTK3ZYUzR6eHdHMWJmUnY3NmZqYmxJUmYvRVA2VkxsdDhweFlNb2dt?=
=?utf-8?B?aUordWpNejlSQW54d1dSd0dHQTY3NGlBczFqRkkzZldIM3J4S1B3M2xoRTNz?=
=?utf-8?B?Z3RYclJrRzZRNm1tanJ0NHd0Y0lSdGRXY2JYaHFFUFJKRWMwbUdkdDNjcjhK?=
=?utf-8?B?cDFLL1d1c2hSd3JrdG95azZISzlFT3ZadDBnTU80UTJ4b1Vta2VsWHc1Szdi?=
=?utf-8?B?TWN6UWpMSkN3a1FUcEVvZzFNTS9YcVVTckxqYXJ2MkFoRWsvend1SzIzcEY3?=
=?utf-8?B?azgwakFBUFJsTi9YbWVuNWlzRlNrTnBQR0RXU1NEMzUrVUVYR0s3NUd5MnlU?=
=?utf-8?B?OWtpQ1ZFSTJNYXFvdWt4TkR1UUFXZmFTaW1ObjV4SDhwelhJNE40SmZhNWE2?=
=?utf-8?B?U1M2MGJ5OEwwUEVTdHBwSStQajVPQmx0WGlCZzhPL2NIbkRjVFRmSmVabEIv?=
=?utf-8?B?TkdoR0lKN1VCNUJ0VWVYTHpjVlluWXFpUmVkMTBpM2RKTkdEVU8yS2UxOWFR?=
=?utf-8?B?bDZGalY3a1VkYVF4TE03d21lVlZvYUlaaGxiRTM1Q3N6NFY1ODlGVklMSklY?=
=?utf-8?B?MGFwUVBLZlk2VUZxdGVtVFRrSEFSY3ZXc2Y4SlB0dlRoZDd1M0taUVZRZWtU?=
=?utf-8?B?ZnhPNjNjQmlycVlHYlV1UUc1QUlvN25HdWRPeHdEY1RreVJ6UDdFdDNSaXhU?=
=?utf-8?B?bWFkbklWRWFvOXlTUXE3cFdQUFdMTFFYcFBoWWtLZmNGUjZBcytOL2VWczBV?=
=?utf-8?B?WnBYUjVXZFBoL2JyQ0daakIva0lCdDRjQ0pJWnNCZTVuVnBjeHl2S1pjSStj?=
=?utf-8?B?L1pGQitpcnZMWDJsNFZadytvVnlYWUxuekp3MFBtZmNEeFRuQ2ZVZWxFcWY1?=
=?utf-8?B?NWh1QmJPU3dERXNvNTdZTk1McE9OUzNGRy8wd0dRZ3hVMC9zc1Ztd0ZaS1c3?=
=?utf-8?B?K2UrZngxS1FXYjFiVmo4L2dyY1ZLRnhrd1hhSnhqZ3lxS3dLWVVMTHdqRGV5?=
=?utf-8?B?VG9teXNTZHQ4Z05UTHRhZnZPNlBjbGI4RTE3a2M0YzRmMTFSUldWMjJ3SlRZ?=
=?utf-8?B?aWFXUk9Ucng1RFNhSldFSklBc1JSeXMvRnpDWXZjcDA4ckdEQWNBY2hmbWtT?=
=?utf-8?B?Zi83c3hvLzF6Qnk2b0x2eHhjbWx0UUo5L1BEcm9sd3FWOHlyM1FpOHR0aTBk?=
=?utf-8?B?dTljV2xoWThxZmJZbDd6L1kvVjZQeHBDU0pYNSsvbUxKSlpTK1FlRnFFalhn?=
=?utf-8?B?MFowUE9DRVRvY2kwc2FRMDNmY2srYnUrRWlSeEJPNXNnVVZYdGM4T285QjM1?=
=?utf-8?B?d0p1RnBwai9oRWp6cDNsTzFFbjVxM3NmSjllQzZmRDRFdzN4WWhFcTF1bU52?=
=?utf-8?B?dDBZMkd0SE9Jb0QrN2pmN1RQZGhaZ00yc1ZzWWFxc0tTdmVDbnI2VUFGTlNO?=
=?utf-8?B?WVFsb3VyOXpDUS9tcEMrbEJUOVlNRWFjTmdRZ2VoMmtBZ2tLdFBzcEVuVDdq?=
=?utf-8?Q?vjqCuXIft73y54KjmokA9KFjC2YU=3D?=
MIME-Version: 1.0
EMAIL:
________________________________________
From: Lowes✔️ <f6RXP at f6RXP.fi>
Sent: Tuesday, 2 November 2021 11:19 PM
To: "michaellund at live.com.au"
Subject: Attn: Your Monthly Lowes Voucher Statement Has Arrived #7112118060✔️
<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962930884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FaLD3Xrj9s7v786qQKJn8Sxag7TQrMKv13Mi4wfCrCg%3D&reserved=0>
Congratulations michaellund - Lowes Has A Big Suprise For You!
If you cannot see the images below, click here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962930884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FaLD3Xrj9s7v786qQKJn8Sxag7TQrMKv13Mi4wfCrCg%3D&reserved=0>.
[https://i.imgur.com/M9bGfwo.png] [X] <https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962940841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DhMJjPb2sNlKI%2BQ9Q9ieJuOTKRQmgJYwddocJES65p0%3D&reserved=0>
If you no longer wish to receive these emails, you may unsubscribe by clicking here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DVWwybDB4WGo0cUlMYjNMSU5xUFpOMXJYaWhqOFF3Szh0V0NISjlSVkNHVC8yU3FtU05icGJYaXB0N0paOHhYdjJBb05hT3FmLzRrMVMySmp6RStKWGVONXV1b282ZEpZUERoUW1rZTcyeFdCNWNHZjl1ZlZPcFdsbTRvb0lLc1pGZzYrSThkdHhKMmF5dDFFZ1dsbU5yUis4RWd6K2p1NC82ZjFGWUlMNFY1cld0dTE3RzlzK3NsRjgvTTRpckdN&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962940841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3KjtFFBo9tYybaB2zh4Qz4X0%2Boo%2F12XZ6X4snEIpJr0%3D&reserved=0> or by writing to 6130 W Flamingo Rd. Las Vegas, NV 89103
click here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Funsub%3Fencv%3D2%26m%3DaDlpMyt3MisxN0JqaWdweHZ5U0pxK29LcDdLeGc0SE5hZWlKYzNsenpnS3dTOWJuaytiQWpvMlQvNWpkQk4vWlgxTVM5YTF5Y1gzVHlJR0t2TCsxYW0rVXpXV2RRdldvNlB0RWdiWkM4NWs9&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962950795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FKpEH1NXa2u0F%2F1YznowXvU6nh8BnsgTcbej8PmW1BQ%3D&reserved=0> to remove yourself from our emails listsor write to : 2828 Scenic Way
Rossville, IL 60963
More information about the dns-operations
mailing list