[169205] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Feb 18 22:18:40 2014
To: Joe Maimon <jmaimon@ttec.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 18 Feb 2014 22:08:10 -0500."
<5304201A.3040508@ttec.com>
Date: Wed, 19 Feb 2014 14:17:39 +1100
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <5304201A.3040508@ttec.com>, Joe Maimon writes:
> Hey all,
>
> DNS amplification spoofed source attacks, I get that. I even thought I
> was getting mitigation down to acceptable levels.
>
> But now this. At different times during the previous days and on
> different resolvers, routers with proxy turned on, etc...
>
> Thousand of queries with thousands of source ip addresses.
>
> According to my logs, sources are not being repeated (or not with any
> significant frequency)
>
> What is the purpose of this?
Indirect attack on the 5kkx.com servers?
> 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
> swe.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190:
> query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924:
> query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query:
> uehkaiy.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000:
> query: yqv.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585:
> query: e.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query:
> bfpofpj.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316:
> query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265:
> query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query:
> ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093:
> query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822:
> query: ebb.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108:
> query: l.5kkx.com IN A + (66.199.132.7)
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
