[Dshield] DNS amp tracking?

Geo-Terra Engineering Inc. dr.astrom42 at gmail.com
Thu Feb 12 10:23:34 GMT 2009 

I'm trying to, but the resources are lacking here. The MX query flood is 
less frequent than the NS <root> flood, but they are connected. How, I 
haven't figured that out yet!

Dr. Daniel Carras
CI iSecurity Center
http://isc.cybernetics-institute.org

Shaun wrote:
> Hi all,
>
> Is anyone keeping track of miscreant domains involved in the recent
> spate of DNS amplification attacks? I've noticed a particularly
> offensive variant on the widely publicized "?A ." attacks: someone is
> forging MX queries for the domain newasia-info.com. This domain has a
> specially crafted set of MX records which result in a huge RR.
>
> Unlike NS queries for . (which average around 500 bytes of response from
> a server configured to answer to such with the root server addresses),
> MX responses for newasia-info.com are more than three times as large:
>
> $ dig MX newasia-info.com @4.2.2.4
>
> ; <<>> DiG 8.3 <<>> MX newasia-info.com @4.2.2.4
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63587
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      newasia-info.com, type = MX, class = IN
>
> ;; ANSWER SECTION:
> newasia-info.com.       4H IN MX        12 www.weojhwehfuqwyer78234rhfwyifgaw8efgysdigqw487tghbvikwbvhsuifvbhf.com.
> newasia-info.com.       4H IN MX        13 www.pudtrvj0tygtrfghtrfterfrdtftgytygh7yuiyuhjuyfgxdfcgdfcgtghyuhjh.com.
> newasia-info.com.       4H IN MX        14 www.igj304fgsuidnveioruhg3q4ifguqhweoigsudblgvweuhr4ggenrgosdihfvo2.com.
> newasia-info.com.       4H IN MX        15 www.ggegerfsnhdiufbwsdyjfbaskduvbi8hwudhlasudhflwuhvskjncvlierufgls.com.
> newasia-info.com.       4H IN MX        16 www.gwegyudgggntgjvujhdfgdvjweyhbfsjkduveirungelkdfnvdfsiybgericybr.com.
> newasia-info.com.       4H IN MX        17 www.dpwijefoasudnilirfoisdcviuzsdnfluierngonsdfvljsdnfliguenrgliurr.com.
> newasia-info.com.       4H IN MX        18 www.gjmspidjfiousdfiuerg0824ht9wuhofusadivuhqwpe89rpeifoasdhfwuefhw.com.
> newasia-info.com.       4H IN MX        19 www.jdefiogeroisdvjioeurnliu34n232hefuinwdufnhawifuhwiuehgi2u34fgiw.com.
> newasia-info.com.       4H IN MX        0 www.ldfknpwivjbmvhdrbvkgdbvgnfhdbblrbsdkcpghjkipiokghdfvxcdgfjhkljl.com.
> newasia-info.com.       4H IN MX        1 www.gergergsdgfxsgergqscvasgqweghascgvascvgergergergergergergergerg.com.
> newasia-info.com.       4H IN MX        2 www.siksgcbvvjfgbvedvcjhbgklhnrfbvcbggkihlvnthdghcdbghyirhfbgvtiohd.com.
> newasia-info.com.       4H IN MX        3 www.ppoujdffsdfgkghlbxcfsfgdfnbgvjvbhdcvehvjkbvbncfgveisllxbfvkklcv.com.
> newasia-info.com.       4H IN MX        4 www.xsolohfdlhyuvfgwsofgasosgjvwgjdghjsghvjhwghcjbajxcbxhcvaqsxvusw.com.
> newasia-info.com.       4H IN MX        5 www.ljiduiqhwdfouishbpofuitgjwiycbsiufgvbwocbzsogbsdkcvhsjkfhwjksdh.com.
> newasia-info.com.       4H IN MX        6 www.lohffhkoufvhjifcgycfgxfchdgfcddfgdhdfddfgdfpxzzwwswdtyugrdsefuf.com.
> newasia-info.com.       4H IN MX        7 www.kghdasvjxckblbnlgjgdfsvcngkhfhbvjtuighdofbvsdivbwscdubasfbsdfkw.com.
> newasia-info.com.       4H IN MX        8 www.putrweasuijkhfxklosdfkjcdhsbwdppdjdjjvhennsdfwedfsdghhtitiitiig.com.
> newasia-info.com.       4H IN MX        9 www.pioyrefvyiuhiuwhersdkfbxsjvhdfbvfvbxcmvnjbefyuxsbcdvjsfhbvcdjvf.com.
> newasia-info.com.       4H IN MX        10 www.oiteesyhpoyrcklgfryfvgiyugoughouibhgbgjhgfjgfytfhgtfyjfi283423f.com.
> newasia-info.com.       4H IN MX        11 www.oieuhrfyuasdutcfvsbfogijeriguhasicvybgsdfpu384r2u39fheijgcbngjb.com.
>
> ;; Total query time: 56 msec
> ;; WHEN: Thu Feb 12 01:01:50 2009
> ;; MSG SIZE  sent: 34  rcvd: 1714
>
> Much better for DDoSing with...
>
> Observed victims (forged UDP query senders) in one particular honeypot
> were all in 72.20.0.0/18. Over the course of 24 hours, 1283281 packets
> totalling 93679513 bytes worth of attacks were attempted, but prevented
> from going out.
>
> Curious about others' observations, or if anyone else recognizes
> newasia-info.com as a nefarious domain.
>
> -s
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>
>

More information about the Dshield mailing list