[88925] in North American Network Operators' Group
DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Estes, Paul)
Fri Feb 24 12:26:44 2006
Date: Fri, 24 Feb 2006 09:25:38 -0800
From: "Estes, Paul" <pestes@Covad.COM>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C63967.585347B0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
We have recently noticed a deluge of DNS requests for "ANY ANY" records
of x.p.ctrc.cc. The requests are coming from thousands of sources,
mostly our own customers. There are currently no records for
x.p.ctrc.cc, or even for p.ctrc.cc. A google search for x.p.ctrc.cc
comes up with only 2 hits. One is a DNS log showing references to this
name. The other one shows that somebody else is seeing the same behavior
as we are:
=20
http://weblog.barnet.com.au/edwin/cat_networking.html
=20
However, this site has the benefit or providing a history that p.ctrc.cc
had (a week ago) delegated NS record pointing to 321blowjob.com. At that
time, 321blowjob.com's nameserver was responding with a TXT record for
x.p.ctrc.cc.
=20
It would appear that ctrc.cc was the victim of some DNS hijacking.
Whatever malware is attempting to lookup this name, however, is doing so
at a horrific rate. I have some addresses that have made >250000
requests for this name in a short period of time.
=20
I was thinking that I could simply put an authoritative zone for
p.ctrc.cc in our nameservers and return something for the lookups,
however based on the writeup on the above mentions blog, I am now not
certain this will have any effect. As you'll note, that individual had
only 2 machines hitting his name server, and even though a response was
provided to the lookup, the hosts continued to hammer his access link.
=20
When the lookup flood occurs, every host starts at the same time, as can
be seen on the graphs of traffic to and load of our nameservers. It's
all or nothing - the flood is either on or off. There's no background
trickle.
=20
Is anybody else seeing these events?
=20
--Paul
=20
------_=_NextPart_001_01C63967.585347B0
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Batang;
panose-1:2 3 6 0 0 1 1 1 1 1;}
@font-face
{font-family:"\@Batang";
panose-1:2 3 6 0 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>We have recently noticed a deluge of DNS requests for =
“ANY
ANY” records of x.p.ctrc.cc. The requests are coming from =
thousands of
sources, mostly our own customers. There are currently no records for =
x.p.ctrc.cc,
or even for p.ctrc.cc. A google search for x.p.ctrc.cc comes up with =
only 2
hits. One is a DNS log showing references to this name. The other one =
shows
that somebody else is seeing the same behavior as we =
are:</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a
href=3D"http://weblog.barnet.com.au/edwin/cat_networking.html">http://web=
log.barnet.com.au/edwin/cat_networking.html</a></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>However, this site has the benefit or providing a =
history
that p.ctrc.cc had (a week ago) delegated NS record pointing to =
321blowjob.com.
At that time, 321blowjob.com’s nameserver was responding with a =
TXT
record for x.p.ctrc.cc.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>It would appear that ctrc.cc was the victim of some =
DNS
hijacking. Whatever malware is attempting to lookup this name, however, =
is
doing so at a horrific rate. I have some addresses that have made =
>250000
requests for this name in a short period of time.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I was thinking that I could simply put an =
authoritative zone
for p.ctrc.cc in our nameservers and return something for the lookups, =
however
based on the writeup on the above mentions blog, I am now not certain =
this will
have any effect. As you’ll note, that individual had only 2 =
machines
hitting his name server, and even though a response was provided to the =
lookup,
the hosts continued to hammer his access link.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>When the lookup flood occurs, every host starts at =
the same
time, as can be seen on the graphs of traffic to and load of our =
nameservers. It’s
all or nothing – the flood is either on or off. There’s no
background trickle.</span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Is anybody else seeing these =
events?</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>--Paul</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C63967.585347B0--
