[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Mike Spencer mspencer at tallships.ca
Wed Jul 2 03:24:26 ADT 2014


Still OT; Stop here & delete if this is boring.  Not doing me any harm so
this is a matter of curiosity, not dire need.

Dan Peterson <dpiddy at gmail.com> wrote:

dp> Happy to help more if you want to provide more info.

I can send you more info off-list if that's okay with you.

Here I'll just summarize:

Joel Maxuel <j.maxuel at gmail.com> wrote:

> I would try a running a traffic analyzer (like Wireshark) and then
> match the latest port 53 errors with (e.g. by IP) what the Wireshark
> data dump delivers.  Should provide a fuller story.

Never used WS before, just fired it up. Very nice.  I don't get much
more info than I've been getting from tcpdump except the DNS packet
flags (which are a PITA to pick out of hex data.) And I can't copy &
paste from the WS window.

Others have suggested DNS amplification attack.  I can't figure
that. That goes:

   0. Optionally, break into a DNS server (or several) and create
      especially long records for particular host.

   1. Create and send forged packets with:

        + the target's IP as the src address 
        + a dns server known to deliver large responses (see 0. supra)
          as the dest address
        + a query known to provoke the large response

   2. Do #1. many times or, better, have your vast botnet do it.

The target sees many large responses, typically arriving in large
numbers, possibly with occasional error/failure responses.

I'm seeing 1 to 5 a minute, almost all error/failure message, thus all
single small packets.  Some are no-error responses but contain no
RR data.  Only 1 DNS response packet from a given src.

The original DNS query appears in a TCP response packet (not in the
ICMP ones) even if it's ServFail or NXDomain.  The queries seem to be
for bogus host names in valid [1] domains, such as:

     apparently bogus      valid domain
     ----------------      ------------
     mtovyxspmhyzcx.www.  xixiwg.com         # CN
     wzzykfbrrly.www.     jiaohe168.com      # CN
     ychubpbhmrmcwez.www. dongdongwg.com     # CN
     uvarkwwbybj.71.      appledaily.com     # HK

The domain.com will remain the same for many packets from different
srcs but the hostname.subdomain parts are all different.

It would appear as if I were probing random IP addresses with bogus
queries in order to detect working DNS servers.  Only, of course, I'm
not.  I see these packets on different dynamic addresses with the same
ISP.

So: not a DNS amplification attack on me or my happenstance IP
address. Not a response to anything I'm doing. No obvious value to
anybody else that I can see. (What am I missing?)  Some kind of
side-effect or byproduct of a DNS attack aimed elsewhere?

Weird.

Thanks for the pointers,
- Mike

[1] For some value of "valid". I haven't probed the domains but
    they're registered.  One case I did try to probe, the
    authoritative name servers were unresponsive.

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^


More information about the nSLUG mailing list