[dns-operations] Interesting increase in query volumes

Lars-Johan Liman liman at netnod.se
Mon Nov 29 06:35:48 UTC 2021


(Thanks to my attentive colleague Magnus for heads-up.)

Hello, Juhani and Sami!

This is a depressing state of affaires.

It would be interesting to hear from other TLD operators if they see
similar query patterns, and if so, what effect that has on their
services.

I'll limit my comment to one aspect.

>  - Inbound queries are UDP queries but outbound replies are TCP
> because of the DNSSEC signature

I assume this to mean "the inbound queries are UDP at first, but the
outbound UDP replies are truncated, which triggers the client to re-send
the query over TCP with an ensuing full (long) TCP response".

> - Or does the TCP return packet from our nameservers indicate that we
> are being used as an amplifier for a DoS?

The server does not normally return a TCP response packet as a direct
result of an inbound UDP packet. That "cannot happen" using normal
software. The fact that the trucated UDP response actually triggers the
client to initiate an ensuing TCP transaction, which runns to its full
closure, signals to me that this is _not_ a reflection attack. These are
real clients that, for some dubious reason, query your servers. If you
see many distinct clients in a cloud service, that signals to me that
these are not "regular resolvers", but specially crafted software that
does its own DNS resolution. That's common in malware situations.

				Best regards,
				  /Liman

#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.               !  E-mail: liman at netnod.se
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod AB, Stockholm                  !  http://www.netnod.se/
#----------------------------------------------------------------------

dns-operations at dns-oarc.net 2021-11-25 07:54 [+0000]:
> Hello everybody

> .FI registry met with a new phenomenon last September, when query
> volumes to our .FI root servers grew dramatically 100%-300%.

> So far we have learned:

>  - Increase in number of queries can be seen in all globally
>    distributed .FI root nameservers

>  - We estimate the total increase is about 1-2 billion extra queries
>    per day

>  - Queries concern mostly (if not all) randomly generated 5 character
>    .fi domains which do not exist

>  - Inbound queries are UDP queries but outbound replies are TCP
>    because of the DNSSEC signature

>  - Source addresses of queries are within big clouds, like for example
>    Microsoft Azure as the biggest single source

> We have been in touch with Microsoft abuse, but they didn't help us
> much. They confirmed that queries are really from their networks, but
> they were unwilling to reveal who is the source of those queries or
> what is the service they are related to.

> We also have been contacted by two internet users from different
> continents that report us about significant amount of spam that are
> being send (address of the sender) from - you might guess - from
> random 5 character .fi domains. Headers of those spam messages that we
> have received from those two internet users have much in common.

> So we are asking your opinions:

> - Is this about spam?

> - Or does the TCP return packet from our nameservers indicate that we
>   are being used as an amplifier for a DoS?

> - How could we get more information regarding the source of the traffic

> - Is there anything we could do for the traffic

> Thanks in advance,

> Juhani Juselius
> .FI registry
> Finnish Transport and Communications Agency Traficom


More information about the dns-operations mailing list