[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Robert McKay robert at mckay.com
Wed Jul 2 11:17:53 ADT 2014


On Wed, 2 Jul 2014 03:24:26 -0300, mspencer at tallships.ca wrote:
>      apparently bogus      valid domain
>      ----------------      ------------
>      mtovyxspmhyzcx.www.  xixiwg.com         # CN
>      wzzykfbrrly.www.     jiaohe168.com      # CN
>      ychubpbhmrmcwez.www. dongdongwg.com     # CN
>      uvarkwwbybj.71.      appledaily.com     # HK


I think it's likely that the DNS traffic you're seeing is from multiple 
unrelated attacks.. some might be against the domain servers, others 
against recursive servers and others (eg, big dns reply) against non DNS 
servers - could be anyone.

The random hostname lookups look like a bailiwick DNS attack against a 
recursive dns server.. for this to work it would have to be targetting a 
recursor on your IP - but it could also just be done to create confusion 
so the origin DNS servers can't tell who is being attacked.

If you were being attacked and there was only one IP in your logs you 
migth get in touch with the other network and try to figure out what's 
going on.. if you see thousands of IPs you'll probably just give up. It 
makes sense to include random uninvolved IPs in many of these attacks 
just to make it harder to tell who's doing what to whom.

Rob


More information about the nSLUG mailing list