[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"
robert at mckay.com
Wed Jul 2 11:17:53 ADT 2014
On Wed, 2 Jul 2014 03:24:26 -0300, mspencer at tallships.ca wrote:
> apparently bogus valid domain
> ---------------- ------------
> mtovyxspmhyzcx.www. xixiwg.com # CN
> wzzykfbrrly.www. jiaohe168.com # CN
> ychubpbhmrmcwez.www. dongdongwg.com # CN
> uvarkwwbybj.71. appledaily.com # HK
I think it's likely that the DNS traffic you're seeing is from multiple
unrelated attacks.. some might be against the domain servers, others
against recursive servers and others (eg, big dns reply) against non DNS
servers - could be anyone.
The random hostname lookups look like a bailiwick DNS attack against a
recursive dns server.. for this to work it would have to be targetting a
recursor on your IP - but it could also just be done to create confusion
so the origin DNS servers can't tell who is being attacked.
If you were being attacked and there was only one IP in your logs you
migth get in touch with the other network and try to figure out what's
going on.. if you see thousands of IPs you'll probably just give up. It
makes sense to include random uninvolved IPs in many of these attacks
just to make it harder to tell who's doing what to whom.
More information about the nSLUG