<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dear All, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These scans with almost constant time gaps between are not more visible. After less of 2 month it stopped. But scans with short periods still happens in variable intervals. After some time I looked again for the details and I was wondering
that so many are coming from Cisco. <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:19:03 84 208.69.34.68 1 2019-03-05 07:09:59.65 m33.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:19:03 84 208.69.34.75 1 2019-03-05 07:09:59.94 m61.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:19:03 84 208.69.34.77 2 2019-03-05 07:10:00.48 m69.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::64 1 2019-03-05 07:07:45.88 m21.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::66 1 2019-03-05 07:07:45.90 m29.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::67 2 2019-03-05 07:07:45.75 m33.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::69 2 2019-03-05 07:07:45.75 m41.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::71 1 2019-03-05 07:07:47.27 m49.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::72 1 2019-03-05 07:07:46.27 m53.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::73 1 2019-03-05 07:07:47.27 m57.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::74 1 2019-03-05 07:07:45.75 m61.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::77 2 2019-03-05 07:07:45.90 m73.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:44 84 2620:0:cc7::78 3 2019-03-05 07:07:47.11 m77.fra.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:45 84 2620:119:10::17 66 2019-03-05 07:07:08.08 m7.yyz.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:45 84 2620:119:10::66 21 2019-03-05 07:07:12.19 m25.yyz.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::64 3 2019-03-05 07:09:53.54 m17.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::65 3 2019-03-05 07:09:53.54 m21.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::66 2 2019-03-05 07:09:56.26 m25.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::67 2 2019-03-05 07:09:57.18 m29.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::68 3 2019-03-05 07:09:53.54 m33.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::69 2 2019-03-05 07:09:52.56 m37.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:53 84 2a04:e4c0:10::70 4 2019-03-05 07:09:54.25 m41.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::71 1 2019-03-05 07:09:53.41 m45.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::72 4 2019-03-05 07:09:53.19 m49.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::73 2 2019-03-05 07:09:54.25 m53.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::74 6 2019-03-05 07:09:53.54 m57.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::75 4 2019-03-05 07:09:57.56 m61.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::76 2 2019-03-05 07:09:53.67 m65.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::77 3 2019-03-05 07:09:54.24 m69.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::78 3 2019-03-05 07:09:55.20 m73.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2019-03-05 06:20:54 84 2a04:e4c0:10::79 2 2019-03-05 07:09:51.77 m77.lon.opendns.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards <o:p></o:p></p>
<p class="MsoNormal">Hans <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Wessels, Duane <dwessels@verisign.com> <br>
<b>Sent:</b> Thursday, January 24, 2019 11:51 PM<br>
<b>To:</b> MAYER Hans <Hans.Mayer@iiasa.ac.at>; dns-operations@dns-oarc.net<br>
<b>Subject:</b> Re: [dns-operations] periodic DNS attacks<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hans,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Others have reported the same sort of traffic here before [1,2].<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on the nature of the query names, it sure feels to me like someone is doing continuous scans of the IPv4 address space in the in-addr.arpa hierarchy. I assume this isn’t also happening in the ip6.arpa space.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on what I’ve seen of source addresses, it seems like they are non-spoofed, actual DNS clients. But given that they are widely distributed I wonder if they are essentially open resolvers.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Perhaps operators of name servers authoritative for in-addr.arpa zones would be willing to contribute to a packet capture data collection to be provided to DNS-OARC for subsequent analysis?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">DW<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a href="https://lists.dns-oarc.net/pipermail/dns-operations/2018-December/018240.html">
https://lists.dns-oarc.net/pipermail/dns-operations/2018-December/018240.html</a><o:p></o:p></p>
<p class="MsoNormal">[2] <a href="https://lists.dns-oarc.net/pipermail/dns-operations/2019-January/018268.html">
https://lists.dns-oarc.net/pipermail/dns-operations/2019-January/018268.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">dns-operations <<a href="mailto:dns-operations-bounces@dns-oarc.net">dns-operations-bounces@dns-oarc.net</a>> on behalf of MAYER Hans
<<a href="mailto:Hans.Mayer@iiasa.ac.at">Hans.Mayer@iiasa.ac.at</a>><br>
<b>Date: </b>Thursday, January 24, 2019 at 9:55 AM<br>
<b>To: </b>"<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>><br>
<b>Subject: </b>[EXTERNAL] [dns-operations] periodic DNS attacks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Dear DNS Operators, <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hopefully I am not completely wrong with my information to you.
<o:p></o:p></p>
<p class="MsoNormal">Our environment: We own a class-B network. We run 4 DNS server for our domain in our own network and two additional NS are responsible at our ISP which is ACOnet.
<o:p></o:p></p>
<p class="MsoNormal">These 4 NS which I manage are using the latest version of BIND. Long time ago I configured rate limits on all of our NS. For log analyzing we are using a “graylog” server. Now – actually since some weeks ago – I realized a very interesting
pattern looking at “graylog” for “rate limits”. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><img border="0" width="1126" height="272" style="width:11.7291in;height:2.8333in" id="Picture_x0020_1" src="cid:image001.png@01D4D334.9E8E19E0" alt="cid:image001.png@01D4B40D.4A7B34F0"><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In periodic intervals of about 16 hours I can see a very high rate of “rate limit” entries as syslog message. This goes back to the beginning of December but I haven’t seen it the last two days.
<o:p></o:p></p>
<p class="MsoNormal">I was very interested what happens during this period of high numbers of rate limits. <o:p></o:p></p>
<p class="MsoNormal">Most of the queries are for <span style="font-size:8.5pt;font-family:"Courier New";color:#16ACE3;background:white">125.147.in-addr.arpa</span> which is our IP range.
<o:p></o:p></p>
<p class="MsoNormal">They simple try to figure out what names are available in our DNS DB. This is per se not an invalid activity but the intention is definitely suspect. <o:p></o:p></p>
<p class="MsoNormal">But stupid enough “they" do it in a high rate that it must be visible. I would never recognize such a “scan” if it is done for example each 10 seconds per query.<o:p></o:p></p>
<p class="MsoNormal">We are fair enough to answer over TCP if rate limit is active. So “they” got the answers. <o:p></o:p></p>
<p class="MsoNormal">Some others try to query some random names like <a href="http://wifi12345.iiasa.ac.at">
wifi12345.iiasa.ac.at</a> and so on or try not IIASA domain names. Which is of course not possible with our DNS server.<o:p></o:p></p>
<p class="MsoNormal">So looking into the details wasn’t so exciting. But still the question why it happens in so regular intervals. I wrote a small shell script collecting the graylog data from the elastic search DB in compressed and accumulated form into a
sqlite3 DB. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">1 2019-01-01 09:03:52.40 2019-01-01 09:13:08.64 556 58 922</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2 2019-01-02 01:35:38.13 2019-01-02 01:49:18.91 820 80 1051</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">3 2019-01-02 16:44:25.97 2019-01-02 17:00:59.41 994 124 878</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">4 2019-01-03 08:55:23.21 2019-01-03 08:57:05.65 102 110 1705</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">5 2019-01-04 01:10:10.50 2019-01-04 01:12:28.92 138 102 1351</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">6 2019-01-04 17:29:27.38 2019-01-04 17:31:33.31 126 90 1862</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">7 2019-01-05 09:30:39.49 2019-01-05 09:33:54.40 195 150 1692</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">8 2019-01-05 22:10:53.11 2019-01-05 22:21:41.22 648 212 4950</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">9 2019-01-06 00:36:45.23 2019-01-06 00:42:21.91 336 287 3523</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">10 2019-01-06 16:51:41.81 2019-01-06 16:54:57.27 196 252 3501</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">11 2019-01-06 19:30:07.79 2019-01-06 19:32:44.99 157 5 2431</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">12 2019-01-07 09:12:13.40 2019-01-07 09:17:31.58 318 131 2215</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">13 2019-01-08 01:21:43.25 2019-01-08 01:25:24.57 221 282 2729</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">14 2019-01-08 17:47:07.04 2019-01-08 17:51:03.36 236 277 3334</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">15 2019-01-09 01:43:00.38 2019-01-09 02:12:10.43 1750 3 83317</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">16 2019-01-09 08:41:56.20 2019-01-09 08:47:59.56 363 258 3035</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">17 2019-01-09 12:13:09.20 2019-01-09 12:14:37.95 88 3 513</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">18 2019-01-09 22:04:59.04 2019-01-09 22:06:27.63 88 25 2137</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">19 2019-01-10 01:11:30.30 2019-01-10 01:15:58.38 268 318 3281</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">20 2019-01-10 17:29:48.95 2019-01-10 17:38:18.06 510 314 4125</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">21 2019-01-11 09:47:27.82 2019-01-11 09:52:05.40 278 267 2888</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">22 2019-01-12 02:16:10.66 2019-01-12 02:23:44.54 454 304 4870</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">23 2019-01-12 02:46:42.97 2019-01-12 02:49:23.98 161 163 3674</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">24 2019-01-12 17:11:28.92 2019-01-12 17:15:39.11 251 360 3731</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">25 2019-01-13 09:26:26.13 2019-01-13 09:31:00.91 274 234 3146</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">26 2019-01-14 01:36:36.22 2019-01-14 01:40:45.17 249 251 3672</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">27 2019-01-14 18:01:58.70 2019-01-14 18:07:24.72 326 226 2891</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">28 2019-01-15 10:17:14.05 2019-01-15 10:22:53.28 339 237 2813</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">29 2019-01-16 01:16:36.05 2019-01-16 01:21:00.07 264 208 3174</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">30 2019-01-16 13:09:09.57 2019-01-16 13:09:58.86 49 7 1445</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">31 2019-01-16 17:47:06.08 2019-01-16 17:51:43.31 277 296 3395</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">32 2019-01-16 23:35:05.84 2019-01-16 23:37:50.89 165 6 1409</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">33 2019-01-17 10:01:54.20 2019-01-17 10:05:53.94 239 160 3020</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">34 2019-01-18 00:40:44.25 2019-01-18 00:40:51.81 7 6 1218</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">35 2019-01-18 00:53:37.40 2019-01-18 00:53:38.87 1 6 1386</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">36 2019-01-18 02:21:49.23 2019-01-18 02:29:08.71 439 360 5088</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">37 2019-01-18 16:31:34.40 2019-01-18 16:32:32.83 58 7 1548</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">38 2019-01-18 17:26:14.07 2019-01-18 17:31:01.33 287 411 3828</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">39 2019-01-19 02:07:07.23 2019-01-19 02:07:13.77 6 6 1506</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">40 2019-01-19 09:26:19.13 2019-01-19 09:32:58.23 399 225 3808</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">41 2019-01-19 14:40:34.27 2019-01-19 14:40:35.54 1 6 1694</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">42 2019-01-19 17:40:01.87 2019-01-19 17:49:49.76 588 204 5775</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">43 2019-01-20 01:36:30.91 2019-01-20 01:41:58.13 328 317 3632</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">44 2019-01-20 16:56:02.77 2019-01-20 17:02:39.29 397 299 3825</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">45 2019-01-21 07:27:03.22 2019-01-21 07:31:42.71 279 229 3966</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">46 2019-01-21 10:49:33.80 2019-01-21 10:52:47.62 194 7 1619</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">47 2019-01-21 22:07:35.10 2019-01-21 22:08:53.06 78 260 3548</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">48 2019-01-22 00:00:20.36 2019-01-22 00:00:23.67 3 7 1425</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">49 2019-01-22 11:28:52.32 2019-01-22 11:28:52.73 0 6 1617</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The table above shows that the intervals are not exactly 16 hours. It’s sometimes more and sometimes less. Generally the time gap expands. Looking manually back to December it was about 15 hours. Now it’s about 16.5 hours.
<o:p></o:p></p>
<p class="MsoNormal">Definitely it is not a cronjob running anywhere. But for human activity the intervals are too identical. The increased time gap could be a result of increased numbers of IP addresses anywhere in the world involved for this activities. <o:p></o:p></p>
<p class="MsoNormal">The column left of the timestamp is duration in seconds. This is not an accurate value but gives a hint about time how long this attack/scan was running. In the next column we see the number IP addresses involved and then the number of
events listed in graylog-server. Sequence “15” 2<span style="font-size:10.0pt;font-family:Menlo">019-01-09 01:43 </span>is definitely an outlier. Also after Jan 16<sup>th</sup> there are some outlier. Under “normal” conditions only one IP address falls into
this rate limit each hour. During these periods of some minutes you can see there are several hundred different IPs involved.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Another question I had in mind, are these always the same IP addresses ? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">1 1305 41.9344473007712</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">2 735 23.6182519280206</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">3 365 11.7287917737789</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">4 279 8.96529562982005</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">5 161 5.17352185089974</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">6 88 2.82776349614396</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">7 48 1.54241645244216</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">8 36 1.15681233933162</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">9 28 0.89974293059126</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">10 12 0.38560411311054</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">11 1 0.032133676092545</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">12 2 0.06426735218509</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">13 3 0.096401028277635</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">14 11 0.353470437017995</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">15 14 0.44987146529563</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">16 11 0.353470437017995</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">17 6 0.19280205655527</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">18 7 0.224935732647815</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The answer is definitely no. Above we can see that 1305 IP addresses - which is about 41.9 % - are only seen once. Only 7 IP’s where logged 18 times, which is less than 1%. I record 49 such time frames of events since Jan 1st till now with
total 3112 IPs. And there was not a single IP which occurred 19 times or more. There is definitely a high number of “new” IPs never seen before.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Finally I am looking how these IP addresses are replying if queried with a DNS request. I can say that most of these IP addresses are not responding and a request is running into a timeout. These are about 80.6%. This is maybe valid, because
this server was never intended to be a public available DNS server. It could also be that the system administrator recognized that there is something wrong ongoing with his server and removed it from the net. About 17.5% are replying for any query with a valid
result. I asked them for a foreign domain name “<a href="http://www.aco.net">www.aco.net</a>" and got the correct IP. The rest is acting different. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am still wondering what’s ongoing here. <o:p></o:p></p>
<p class="MsoNormal">Several hundreds of IPs running into rate-limit within minutes is not normal. In the time between they're only a hand full with one or two occurrences. <o:p></o:p></p>
<p class="MsoNormal">Is there maybe a very simple explanation for this which I do not see ? <o:p></o:p></p>
<p class="MsoNormal">Or is this the background noise before a bigger DNS attack ? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Have you ever seen such a behavior ? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Kind regards <o:p></o:p></p>
<p class="MsoNormal">Hans <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">--</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Ing. Dipl.-Ing. Hans Mayer</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Systems Administrator</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Information and Communication Technologies (ICT)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">International Institute for Applied Systems Analysis (IIASA)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Schlossplatz 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">A-2361 Laxenburg, Austria</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Phone: +43 2236 807 Ext 215</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Mobile: +43 676 83 807 215</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">Web: <a href="http://www.iiasa.at">
http://www.iiasa.at</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4">E-Mail: <a href="mailto:mayer@iiasa.ac.at">
mayer@iiasa.ac.at</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#5B9BD5"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#5B9BD5">Note: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#5B9BD5"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#548DD4"> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</body>
</html>