[88931] in North American Network Operators' Group
RE: DNS deluge for x.p.ctrc.cc
daemon@ATHENA.MIT.EDU (Ejay Hire)
Fri Feb 24 13:33:48 2006
From: "Ejay Hire" <ejay.hire@isdn.net>
To: "'Estes, Paul'" <pestes@Covad.COM>, <nanog@merit.edu>
Date: Fri, 24 Feb 2006 12:30:29 -0600
In-Reply-To: <DE218759AAF51B45B534A59F5166425405B324C8@ZANEVS03.cc-ntd1.covad.com>
Errors-To: owner-nanog@merit.edu
It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.
Ejay Hire
ISDN-Net Network Engineer
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
On
> Behalf Of Estes, Paul
> Sent: Friday, February 24, 2006 11:26 AM
> To: nanog@merit.edu
> Subject: DNS deluge for x.p.ctrc.cc
>
> We have recently noticed a deluge of DNS requests for "ANY
> ANY" records of x.p.ctrc.cc. The requests are coming from
> thousands of sources, mostly our own customers. There are
> currently no records for x.p.ctrc.cc, or even for
p.ctrc.cc.
> A google search for x.p.ctrc.cc comes up with only 2 hits.
> One is a DNS log showing references to this name. The
other
> one shows that somebody else is seeing the same behavior
as we are:
>
>
>
> http://weblog.barnet.com.au/edwin/cat_networking.html
>
>
>
> However, this site has the benefit or providing a history
> that p.ctrc.cc had (a week ago) delegated NS record
pointing
> to 321blowjob.com. At that time, 321blowjob.com's
nameserver
> was responding with a TXT record for x.p.ctrc.cc.
>
>
>
> It would appear that ctrc.cc was the victim of some DNS
> hijacking. Whatever malware is attempting to lookup this
> name, however, is doing so at a horrific rate. I have some
> addresses that have made >250000 requests for this name in
a
> short period of time.
>
>
>
> I was thinking that I could simply put an authoritative
zone
> for p.ctrc.cc in our nameservers and return something for
the
> lookups, however based on the writeup on the above
mentions
> blog, I am now not certain this will have any effect. As
> you'll note, that individual had only 2 machines hitting
his
> name server, and even though a response was provided to
the
> lookup, the hosts continued to hammer his access link.
>
>
>
> When the lookup flood occurs, every host starts at the
same
> time, as can be seen on the graphs of traffic to and load
of
> our nameservers. It's all or nothing - the flood is either
on
> or off. There's no background trickle.
>
>
>
> Is anybody else seeing these events?
>
>
>
> --Paul
>
>
>
>