[169246] in North American Network Operators' Group
RE: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Beeman, Davis)
Wed Feb 19 12:09:02 2014
From: "Beeman, Davis" <Davis.Beeman@integratelecom.com>
To: Joe Maimon <jmaimon@ttec.com>, "North American Networking and Offtopic
Gripes List" <nanog@nanog.org>
Date: Wed, 19 Feb 2014 17:08:03 +0000
In-Reply-To: <5304E2D8.40809@ttec.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
They are, and dropping them just as fast. It seems like the last a day or =
two, and then move on to another domain name. They are similar enough that=
the bots probably work off a formula to determine valid requests.
It may be a coincidence, if you believe in those, but this type of C&C traf=
fic started ramping up wildly about a month after the ZeroAccess servers go=
t blocked... =20
Davis Beeman | Network Security Engineer | 360.816.3052
Integra=20
-----Original Message-----
From: Joe Maimon [mailto:jmaimon@ttec.com]=20
Sent: Wednesday, February 19, 2014 08:59
To: Beeman, Davis; North American Networking and Offtopic Gripes List
Subject: Re: random dns queries with random sources
Beeman, Davis wrote:
> rather the authoritative name server in these domains is the rouge DNS se=
rver in use by the bad actor running a botnet.
>
> Davis Beeman
> Network Security Engineer
Somebody must be registering these domain names.
And I should be able to compile a list of the auth servers in question.
Joe
