[169240] in North American Network Operators' Group
RE: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Beeman, Davis)
Wed Feb 19 10:58:32 2014
From: "Beeman, Davis" <Davis.Beeman@integratelecom.com>
To: Joe Maimon <jmaimon@ttec.com>, "North American Networking and Offtopic
Gripes List" <nanog@nanog.org>
Date: Wed, 19 Feb 2014 15:57:36 +0000
In-Reply-To: <5304201A.3040508@ttec.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I am late to this train, but it appears no one else has brought this up. I=
t is a DNS tunneling setup, not an attack. I have been dealing with one of=
these lately as well. They were using some open resolvers in my network t=
o reflect, but the "random" hostnames in the queries are tunneled traffic o=
r keywords. The original sources of the traffic are probably members of a =
botnet, and this is being used as a sneaky C&C method. Due to the tiny am=
ount of data you can send in the DNS query name field, this will sort of lo=
ok like an attack, because they have to send thousands of queries to get an=
ything done. =20
They are not attacking the authoritative name servers in those domains, as =
has been suggested, rather the authoritative name server in these domains i=
s the rouge DNS server in use by the bad actor running a botnet.=20
Davis Beeman
Network Security Engineer
-----Original Message-----
From: Joe Maimon [mailto:jmaimon@ttec.com]=20
Sent: Tuesday, February 18, 2014 19:08
To: North American Networking and Offtopic Gripes List
Subject: random dns queries with random sources
Hey all,
DNS amplification spoofed source attacks, I get that. I even thought I was =
getting mitigation down to acceptable levels.
But now this. At different times during the previous days and on different =
resolvers, routers with proxy turned on, etc...
Thousand of queries with thousands of source ip addresses.
According to my logs, sources are not being repeated (or not with any signi=
ficant frequency)
What is the purpose of this?
18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:=20
swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190:=20
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924:=20
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query:=20
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000:=20
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585:=20
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query:=20
bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316:=20
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265:=20
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query:=20
ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093:=20
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822:=20
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108:=20
query: l.5kkx.com IN A + (66.199.132.7)
