Interesting increase in query volumes

Juselius Juhani juhani.juselius at traficom.fi
Thu Nov 25 07:54:10 UTC 2021


Hello everybody

.FI registry met with a new phenomenon last September, when query volumes to our .FI root servers grew dramatically 100%-300%. 

So far we have learned:

 -        Increase in number of queries can be seen in all globally distributed .FI root nameservers

 -        We estimate the total increase is about 1-2 billion extra queries per day

 -        Queries concern mostly (if not all) randomly generated 5 character .fi domains which do not exist

 -        Inbound queries are UDP queries but outbound replies are TCP because of the DNSSEC signature

 -        Source addresses of queries are within big clouds, like for example Microsoft Azure as the biggest single source

We have been in touch with Microsoft abuse, but they didn't help us much. They confirmed that queries are really from their networks, but they were unwilling to reveal who is the source of those queries or what is the service they are related to.

We also have been contacted by two internet users from different continents that report us about significant amount of spam that are being send (address of the sender) from - you might guess - from random 5 character .fi domains. Headers of those spam messages that we have received from those two internet users have much in common. 

So we are asking your opinions:

-        Is this about spam?

-        Or does the TCP return packet from our nameservers indicate that we are being used as an amplifier for a DoS?

 -        How could we get more information regarding the source of the traffic

 -        Is there anything we could do for the traffic

 
Thanks in advance,

Juhani Juselius
.FI registry
Finnish Transport and Communications Agency Traficom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: TCPdump - dest removed.png
Type: image/png
Size: 633530 bytes
Desc: TCPdump - dest removed.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: A.FI year.PNG
Type: image/png
Size: 301179 bytes
Desc: A.FI year.PNG
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: screenshot-1.png
Type: image/png
Size: 55884 bytes
Desc: screenshot-1.png
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211125/7e21c68b/attachment-0005.png>
-------------- next part --------------

HEADER:
Received: from TYWP286MB2124.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:173::12)

 by OS3P286MB2011.JPNP286.PROD.OUTLOOK.COM with HTTPS; Wed, 3 Nov 2021

 10:53:16 +0000

Received: from AM6P191CA0059.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:7f::36)

 by TYWP286MB2124.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:173::12) with

 Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Wed, 3 Nov

 2021 10:53:14 +0000

Received: from AM6EUR05FT048.eop-eur05.prod.protection.outlook.com

 (2603:10a6:209:7f:cafe::63) by AM6P191CA0059.outlook.office365.com

 (2603:10a6:209:7f::36) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15 via Frontend

 Transport; Wed, 3 Nov 2021 10:53:13 +0000

Authentication-Results: spf=none (sender IP is 40.84.236.227)

 smtp.mailfrom=Omx5w.fi; live.com.au; dkim=none (message not signed)

 header.d=none;live.com.au; dmarc=none action=none

 header.from=f6RXP.fi;compauth=fail reason=001

Received-SPF: None (protection.outlook.com: Omx5w.fi does not designate

 permitted sender hosts)

Received: from awf231.merrell.pl (40.84.236.227) by

 AM6EUR05FT048.mail.protection.outlook.com (10.233.241.223) with Microsoft

 SMTP Server id 15.20.4669.10 via Frontend Transport; Wed, 3 Nov 2021 10:53:12

 +0000

X-IncomingTopHeaderMarker:

 OriginalChecksum:AB786AAE28E1806D2B81B5AFA26664F06267A531880726FBDB725453A6834183;UpperCasedChecksum:ED043C1E1BF2029D3B11935489E9AD7A5AF5C967BABABA12C3DA6FC2FA125FB2;SizeAsReceived:369;Count:11

From: Lowes✔️<f6RXP at f6RXP.fi>

Subject: Attn: Your Monthly Lowes Voucher Statement Has Arrived #7112118060✔️

To: <"michaellund at live.com.au">

Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="UTF-8"

Date: Tue, 02 Nov 2021 13:19:28 +0000

drop_meta: 36317|93355

X-IncomingHeaderCount: 11

Message-ID:

 <54499e56-0675-4fc9-ad7b-3682bce41ade at AM6EUR05FT048.eop-eur05.prod.protection.outlook.com>

Return-Path: Omx5w at Omx5w.fi

X-MS-Exchange-Organization-ExpirationStartTime: 03 Nov 2021 10:53:12.3081

 (UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

X-MS-Exchange-Organization-Network-Message-Id:

 4eb408ed-ee76-44f7-a2b2-08d99eb82183

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-MS-PublicTrafficType: Email

X-MS-Exchange-Organization-AuthSource:

 AM6EUR05FT048.eop-eur05.prod.protection.outlook.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-UserLastLogonTime: 11/3/2021 9:11:34 AM

X-MS-Office365-Filtering-Correlation-Id: 4eb408ed-ee76-44f7-a2b2-08d99eb82183

X-MS-TrafficTypeDiagnostic: TYWP286MB2124:

X-MS-Exchange-EOPDirect: true

X-Sender-IP: 40.84.236.227

X-SID-PRA: F6RXP at F6RXP.FI

X-SID-Result: NONE

X-MS-Exchange-Organization-PCL: 2

X-MS-Exchange-AtpMessageProperties: SA|SL

X-MS-Exchange-Organization-SCL: 5

X-Microsoft-Antispam: BCL:0;

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2021 10:53:12.1912

 (UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 4eb408ed-ee76-44f7-a2b2-08d99eb82183

X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-AuthSource:

 AM6EUR05FT048.eop-eur05.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:

 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYWP286MB2124

X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.9326302

X-MS-Exchange-Processed-By-BccFoldering: 15.20.4669.011

X-Message-Flag: Flag for follow up

Importance: high

X-Priority: 1

X-Microsoft-Antispam-Mailbox-Delivery:

	abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000284)(90000117)(90005022)(91005020)(91035115)(5061607266)(5061608174)(9050020)(9100337)(4900116)(2008001134)(2008000189)(2008010094)(2008120379)(2008019284)(2008020189)(2008070189)(2008130189)(2008160189)(2008021020)(2021020060)(98390106)(58390106)(8390246)(8377080)(8386120)(8376100)(8403086)(338374011)(338373011)(4910005)(9610002)(9560004)(9320001)(9250002)(4920091)(6394003)(4960004)(4950132)(4990091)(9140004);RF:JunkEmail;

X-Message-Info:

	qoGN4b5S4yrmAeNVLAMFDslnOcoUsFCaH3ZBO/myiGJanS2jv0Ihc4pggiWHZThIQAT1chkGeO9VA/gvLWdnLOjbgFqST0ULnqV++r4tJMDM2Ixq1Gk2hanMDfGDBPREOA2MYvC3wXP1iN28uq1w5+adEpClQzU96Y9a4H6nTd3SPAn34apIjGUJ3t5oN/VNgvilys6EfE+xS8vC5ghb3A==

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02

X-Microsoft-Antispam-Message-Info:

	=?utf-8?B?R0FCR1ozbkxvYUd2cnFGYmxUL0JYYSt6TWhISDBqQWltRFVsVHFVTXZpYXl1?=

 =?utf-8?B?b3kxVzdDQ05KSllhTGNnTzdLa2lJOFMvcnl6emVscGc4UjVKRGtBekRhY0xW?=

 =?utf-8?B?ZlVJRW02K1VoWnh1VWtmVnRMTVVTdVZvekRwOUVyQ0U0UjBkZGpuZmNobUd0?=

 =?utf-8?B?MUt2Ym5Gb2xHYVNnWGIwelNtSlNjS29EVnlqQjJJbm56d3lIV2ZPdk1kVzVp?=

 =?utf-8?B?WHZGV3drOHBzOVlVdnVvTlAybjhxTE1KZXN6cHBkYmRGb1BSL1dyRDhCdS9Q?=

 =?utf-8?B?aFFYRzNhdWpDVXFsK0hic1Bab2VVTmZkQnlyZndaNHhJeDlsVDNjcEd2MHpn?=

 =?utf-8?B?MnloejdSYkYyK3BYeTFQcE80Sld5eEVpZ0FKZ3hKTnRiQTJkTG5yVEk1d3hV?=

 =?utf-8?B?OVFmKzUxcGl4WUQzdCtJM3ZjakhFSzhPcVV2UXhiSW9NaUlkZmJ6SFV0YUJB?=

 =?utf-8?B?QWZjenR0dkduVTBOaWZBbHN2YytjREVXV3VkUDNHQTFKNFpKUUdlNjdlZ1ZQ?=

 =?utf-8?B?SGVTdENxTDRHVDZOdFY2ZU0zVVdDbExnYWFQUkU1NjRRRk11TldJZ1Nmdi9W?=

 =?utf-8?B?VldKUCtsQXREKzlUTG1td2JHaE1LM2F0OFE0THMrakJMNDQ3VVVnZ3UvOUly?=

 =?utf-8?B?N2VnbGc4VENIZ1dJMEZXYkFmR2oyRnF4MG1kMHhzWEZNOHdHQzZaZGRsTmtj?=

 =?utf-8?B?aHhTWXBCbDd3b29EakFyM1d5VUZSQktWRytwd1JrOTBpRHdhYmEyNGF3TXp6?=

 =?utf-8?B?WnlPQWJaQ2ZYUGJtU245c2x4TjRMN1F6KzArZkRCazVFdWpTOXdRdTcxSHJi?=

 =?utf-8?B?dXlDTTE2K3p0V2hZMG1wZm5YQkNMYXVhNzh3Ym13d1dmaEZYa0UwMWFMNmtB?=

 =?utf-8?B?SFl1MzhQN0tGT1VYUUF1TGI4RW9UREoyNjZsNUxldGxmRWFQTTM5RDRQTFda?=

 =?utf-8?B?ZmQxbS9HYjRBUksxQ3JPMXlLbzVieHNmMkpRNzRFT241R3VoUTAzL0l0MWZq?=

 =?utf-8?B?WDlwbENEdm9LVFUzaEJoc0l2MVRFZUlBM3JJNXlKcG5iWGdGdmFxUVZIUVVs?=

 =?utf-8?B?T0VQeFBTK3ZYUzR6eHdHMWJmUnY3NmZqYmxJUmYvRVA2VkxsdDhweFlNb2dt?=

 =?utf-8?B?aUordWpNejlSQW54d1dSd0dHQTY3NGlBczFqRkkzZldIM3J4S1B3M2xoRTNz?=

 =?utf-8?B?Z3RYclJrRzZRNm1tanJ0NHd0Y0lSdGRXY2JYaHFFUFJKRWMwbUdkdDNjcjhK?=

 =?utf-8?B?cDFLL1d1c2hSd3JrdG95azZISzlFT3ZadDBnTU80UTJ4b1Vta2VsWHc1Szdi?=

 =?utf-8?B?TWN6UWpMSkN3a1FUcEVvZzFNTS9YcVVTckxqYXJ2MkFoRWsvend1SzIzcEY3?=

 =?utf-8?B?azgwakFBUFJsTi9YbWVuNWlzRlNrTnBQR0RXU1NEMzUrVUVYR0s3NUd5MnlU?=

 =?utf-8?B?OWtpQ1ZFSTJNYXFvdWt4TkR1UUFXZmFTaW1ObjV4SDhwelhJNE40SmZhNWE2?=

 =?utf-8?B?U1M2MGJ5OEwwUEVTdHBwSStQajVPQmx0WGlCZzhPL2NIbkRjVFRmSmVabEIv?=

 =?utf-8?B?TkdoR0lKN1VCNUJ0VWVYTHpjVlluWXFpUmVkMTBpM2RKTkdEVU8yS2UxOWFR?=

 =?utf-8?B?bDZGalY3a1VkYVF4TE03d21lVlZvYUlaaGxiRTM1Q3N6NFY1ODlGVklMSklY?=

 =?utf-8?B?MGFwUVBLZlk2VUZxdGVtVFRrSEFSY3ZXc2Y4SlB0dlRoZDd1M0taUVZRZWtU?=

 =?utf-8?B?ZnhPNjNjQmlycVlHYlV1UUc1QUlvN25HdWRPeHdEY1RreVJ6UDdFdDNSaXhU?=

 =?utf-8?B?bWFkbklWRWFvOXlTUXE3cFdQUFdMTFFYcFBoWWtLZmNGUjZBcytOL2VWczBV?=

 =?utf-8?B?WnBYUjVXZFBoL2JyQ0daakIva0lCdDRjQ0pJWnNCZTVuVnBjeHl2S1pjSStj?=

 =?utf-8?B?L1pGQitpcnZMWDJsNFZadytvVnlYWUxuekp3MFBtZmNEeFRuQ2ZVZWxFcWY1?=

 =?utf-8?B?NWh1QmJPU3dERXNvNTdZTk1McE9OUzNGRy8wd0dRZ3hVMC9zc1Ztd0ZaS1c3?=

 =?utf-8?B?K2UrZngxS1FXYjFiVmo4L2dyY1ZLRnhrd1hhSnhqZ3lxS3dLWVVMTHdqRGV5?=

 =?utf-8?B?VG9teXNTZHQ4Z05UTHRhZnZPNlBjbGI4RTE3a2M0YzRmMTFSUldWMjJ3SlRZ?=

 =?utf-8?B?aWFXUk9Ucng1RFNhSldFSklBc1JSeXMvRnpDWXZjcDA4ckdEQWNBY2hmbWtT?=

 =?utf-8?B?Zi83c3hvLzF6Qnk2b0x2eHhjbWx0UUo5L1BEcm9sd3FWOHlyM1FpOHR0aTBk?=

 =?utf-8?B?dTljV2xoWThxZmJZbDd6L1kvVjZQeHBDU0pYNSsvbUxKSlpTK1FlRnFFalhn?=

 =?utf-8?B?MFowUE9DRVRvY2kwc2FRMDNmY2srYnUrRWlSeEJPNXNnVVZYdGM4T285QjM1?=

 =?utf-8?B?d0p1RnBwai9oRWp6cDNsTzFFbjVxM3NmSjllQzZmRDRFdzN4WWhFcTF1bU52?=

 =?utf-8?B?dDBZMkd0SE9Jb0QrN2pmN1RQZGhaZ00yc1ZzWWFxc0tTdmVDbnI2VUFGTlNO?=

 =?utf-8?B?WVFsb3VyOXpDUS9tcEMrbEJUOVlNRWFjTmdRZ2VoMmtBZ2tLdFBzcEVuVDdq?=

 =?utf-8?Q?vjqCuXIft73y54KjmokA9KFjC2YU=3D?=

MIME-Version: 1.0

EMAIL:
________________________________________
From: Lowes✔️ <f6RXP at f6RXP.fi>
Sent: Tuesday, 2 November 2021 11:19 PM
To: "michaellund at live.com.au"
Subject: Attn: Your Monthly Lowes Voucher Statement Has Arrived #7112118060✔️

<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962930884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FaLD3Xrj9s7v786qQKJn8Sxag7TQrMKv13Mi4wfCrCg%3D&reserved=0>
Congratulations michaellund - Lowes Has A Big Suprise For You!

If you cannot see the images below, click here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962930884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FaLD3Xrj9s7v786qQKJn8Sxag7TQrMKv13Mi4wfCrCg%3D&reserved=0>.

[https://i.imgur.com/M9bGfwo.png] [X] <https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DMjIyRTFVVTFPS1BuMCszeG9uZUNwazF3cisraEpTQTVvTkI2MXAyUjFIMzBwMHFSaWp1MW56eFh4RE9PWUx2bC9GQlM3cnM3VFpZZjl0U1ViVlFKSm9DL3VxSUMzU0ZrblBNa3hlaGhVRXB2S1d0TzIrOVhXdXo2MnFab0YvejlMRXVyU0p3Q2hITFRvUlhrdzl4UWJQT1Y0NEIxbnVLUUwvVm96YVh5RG13T0RuVlhMTTJkNEpyNHlSN2lwUjJTckt0a2czVkkxeDh0cXY2enhmZk94UT09&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962940841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DhMJjPb2sNlKI%2BQ9Q9ieJuOTKRQmgJYwddocJES65p0%3D&reserved=0>

If you no longer wish to receive these emails, you may unsubscribe by clicking here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Ft%3Fencv%3D2%26v%3DVWwybDB4WGo0cUlMYjNMSU5xUFpOMXJYaWhqOFF3Szh0V0NISjlSVkNHVC8yU3FtU05icGJYaXB0N0paOHhYdjJBb05hT3FmLzRrMVMySmp6RStKWGVONXV1b282ZEpZUERoUW1rZTcyeFdCNWNHZjl1ZlZPcFdsbTRvb0lLc1pGZzYrSThkdHhKMmF5dDFFZ1dsbU5yUis4RWd6K2p1NC82ZjFGWUlMNFY1cld0dTE3RzlzK3NsRjgvTTRpckdN&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962940841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3KjtFFBo9tYybaB2zh4Qz4X0%2Boo%2F12XZ6X4snEIpJr0%3D&reserved=0> or by writing to 6130 W Flamingo Rd. Las Vegas, NV 89103



click here<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2F23.11.133.34.bc.googleusercontent.com%2Funsub%3Fencv%3D2%26m%3DaDlpMyt3MisxN0JqaWdweHZ5U0pxK29LcDdLeGc0SE5hZWlKYzNsenpnS3dTOWJuaytiQWpvMlQvNWpkQk4vWlgxTVM5YTF5Y1gzVHlJR0t2TCsxYW0rVXpXV2RRdldvNlB0RWdiWkM4NWs9&data=04%7C01%7C%7C4eb408edee7644f7a2b208d99eb82183%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637715335962950795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FKpEH1NXa2u0F%2F1YznowXvU6nh8BnsgTcbej8PmW1BQ%3D&reserved=0> to remove yourself from our emails listsor write to : 2828 Scenic Way
Rossville, IL 60963



More information about the dns-operations mailing list