[Dshield] DNS amp tracking?

Shaun shaun at shaunc.com
Thu Feb 12 07:13:01 GMT 2009 

Hi all,

Is anyone keeping track of miscreant domains involved in the recent
spate of DNS amplification attacks? I've noticed a particularly
offensive variant on the widely publicized "?A ." attacks: someone is
forging MX queries for the domain newasia-info.com. This domain has a
specially crafted set of MX records which result in a huge RR.

Unlike NS queries for . (which average around 500 bytes of response from
a server configured to answer to such with the root server addresses),
MX responses for newasia-info.com are more than three times as large:

$ dig MX newasia-info.com @4.2.2.4

; <<>> DiG 8.3 <<>> MX newasia-info.com @4.2.2.4
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63587
;; flags: qr rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      newasia-info.com, type = MX, class = IN

;; ANSWER SECTION:
newasia-info.com.       4H IN MX        12 www.weojhwehfuqwyer78234rhfwyifgaw8efgysdigqw487tghbvikwbvhsuifvbhf.com.
newasia-info.com.       4H IN MX        13 www.pudtrvj0tygtrfghtrfterfrdtftgytygh7yuiyuhjuyfgxdfcgdfcgtghyuhjh.com.
newasia-info.com.       4H IN MX        14 www.igj304fgsuidnveioruhg3q4ifguqhweoigsudblgvweuhr4ggenrgosdihfvo2.com.
newasia-info.com.       4H IN MX        15 www.ggegerfsnhdiufbwsdyjfbaskduvbi8hwudhlasudhflwuhvskjncvlierufgls.com.
newasia-info.com.       4H IN MX        16 www.gwegyudgggntgjvujhdfgdvjweyhbfsjkduveirungelkdfnvdfsiybgericybr.com.
newasia-info.com.       4H IN MX        17 www.dpwijefoasudnilirfoisdcviuzsdnfluierngonsdfvljsdnfliguenrgliurr.com.
newasia-info.com.       4H IN MX        18 www.gjmspidjfiousdfiuerg0824ht9wuhofusadivuhqwpe89rpeifoasdhfwuefhw.com.
newasia-info.com.       4H IN MX        19 www.jdefiogeroisdvjioeurnliu34n232hefuinwdufnhawifuhwiuehgi2u34fgiw.com.
newasia-info.com.       4H IN MX        0 www.ldfknpwivjbmvhdrbvkgdbvgnfhdbblrbsdkcpghjkipiokghdfvxcdgfjhkljl.com.
newasia-info.com.       4H IN MX        1 www.gergergsdgfxsgergqscvasgqweghascgvascvgergergergergergergergerg.com.
newasia-info.com.       4H IN MX        2 www.siksgcbvvjfgbvedvcjhbgklhnrfbvcbggkihlvnthdghcdbghyirhfbgvtiohd.com.
newasia-info.com.       4H IN MX        3 www.ppoujdffsdfgkghlbxcfsfgdfnbgvjvbhdcvehvjkbvbncfgveisllxbfvkklcv.com.
newasia-info.com.       4H IN MX        4 www.xsolohfdlhyuvfgwsofgasosgjvwgjdghjsghvjhwghcjbajxcbxhcvaqsxvusw.com.
newasia-info.com.       4H IN MX        5 www.ljiduiqhwdfouishbpofuitgjwiycbsiufgvbwocbzsogbsdkcvhsjkfhwjksdh.com.
newasia-info.com.       4H IN MX        6 www.lohffhkoufvhjifcgycfgxfchdgfcddfgdhdfddfgdfpxzzwwswdtyugrdsefuf.com.
newasia-info.com.       4H IN MX        7 www.kghdasvjxckblbnlgjgdfsvcngkhfhbvjtuighdofbvsdivbwscdubasfbsdfkw.com.
newasia-info.com.       4H IN MX        8 www.putrweasuijkhfxklosdfkjcdhsbwdppdjdjjvhennsdfwedfsdghhtitiitiig.com.
newasia-info.com.       4H IN MX        9 www.pioyrefvyiuhiuwhersdkfbxsjvhdfbvfvbxcmvnjbefyuxsbcdvjsfhbvcdjvf.com.
newasia-info.com.       4H IN MX        10 www.oiteesyhpoyrcklgfryfvgiyugoughouibhgbgjhgfjgfytfhgtfyjfi283423f.com.
newasia-info.com.       4H IN MX        11 www.oieuhrfyuasdutcfvsbfogijeriguhasicvybgsdfpu384r2u39fheijgcbngjb.com.

;; Total query time: 56 msec
;; WHEN: Thu Feb 12 01:01:50 2009
;; MSG SIZE  sent: 34  rcvd: 1714

Much better for DDoSing with...

Observed victims (forged UDP query senders) in one particular honeypot
were all in 72.20.0.0/18. Over the course of 24 hours, 1283281 packets
totalling 93679513 bytes worth of attacks were attempted, but prevented
from going out.

Curious about others' observations, or if anyone else recognizes
newasia-info.com as a nefarious domain.

-s

More information about the Dshield mailing list