[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"
mspencer at tallships.ca
Wed Jul 2 03:24:26 ADT 2014
Still OT; Stop here & delete if this is boring. Not doing me any harm so
this is a matter of curiosity, not dire need.
Dan Peterson <dpiddy at gmail.com> wrote:
dp> Happy to help more if you want to provide more info.
I can send you more info off-list if that's okay with you.
Here I'll just summarize:
Joel Maxuel <j.maxuel at gmail.com> wrote:
> I would try a running a traffic analyzer (like Wireshark) and then
> match the latest port 53 errors with (e.g. by IP) what the Wireshark
> data dump delivers. Should provide a fuller story.
Never used WS before, just fired it up. Very nice. I don't get much
more info than I've been getting from tcpdump except the DNS packet
flags (which are a PITA to pick out of hex data.) And I can't copy &
paste from the WS window.
Others have suggested DNS amplification attack. I can't figure
that. That goes:
0. Optionally, break into a DNS server (or several) and create
especially long records for particular host.
1. Create and send forged packets with:
+ the target's IP as the src address
+ a dns server known to deliver large responses (see 0. supra)
as the dest address
+ a query known to provoke the large response
2. Do #1. many times or, better, have your vast botnet do it.
The target sees many large responses, typically arriving in large
numbers, possibly with occasional error/failure responses.
I'm seeing 1 to 5 a minute, almost all error/failure message, thus all
single small packets. Some are no-error responses but contain no
RR data. Only 1 DNS response packet from a given src.
The original DNS query appears in a TCP response packet (not in the
ICMP ones) even if it's ServFail or NXDomain. The queries seem to be
for bogus host names in valid  domains, such as:
apparently bogus valid domain
mtovyxspmhyzcx.www. xixiwg.com # CN
wzzykfbrrly.www. jiaohe168.com # CN
ychubpbhmrmcwez.www. dongdongwg.com # CN
uvarkwwbybj.71. appledaily.com # HK
The domain.com will remain the same for many packets from different
srcs but the hostname.subdomain parts are all different.
It would appear as if I were probing random IP addresses with bogus
queries in order to detect working DNS servers. Only, of course, I'm
not. I see these packets on different dynamic addresses with the same
So: not a DNS amplification attack on me or my happenstance IP
address. Not a response to anything I'm doing. No obvious value to
anybody else that I can see. (What am I missing?) Some kind of
side-effect or byproduct of a DNS attack aimed elsewhere?
Thanks for the pointers,
 For some value of "valid". I haven't probed the domains but
they're registered. One case I did try to probe, the
authoritative name servers were unresponsive.
Michael Spencer Nova Scotia, Canada .~.
mspencer at tallships.ca /( )\
More information about the nSLUG