Posted on από Sotiris Tsimbonis

DNS attack avenue-escorts.co.uk

Last night (06 Mar 2009, 18:00 – 21:00 GMT) all our DNS servers were hit by thoudands of queries per minute like these..

client xx.1.178.144#11332: query: XtrkjA.avenue-escorts.co.uk IN NS +
client xx.1.34.160#1024: query: PupxpWqaCy.avenue-escorts.co.uk IN NS +
client xx.92.137.28#32768: query: GWgtomQeLZSDdris.avenue-escorts.co.uk IN NS +
client xx.1.83.145#1025: query: nBgoxan.avenue-escorts.co.uk IN NS +

All queries were from legit clients, that were allowed recursion (so now we know, the number of zombies lurking in our network is quite large)..

I had to declare the authoritative NSs for avenue-escorts.co.uk as bogus in all our NSs, thus stopping all outgoing queries to them (ref). The queries from clients kept hitting our NSs, but since no recursion was performed the load dropped.. Queries stopped about an hour after the fix.

Anyone else seen something similar on their NSs ?

dnsgraph_day

dnsgraph_day_rr

Advertisement

2 Replies to “DNS attack avenue-escorts.co.uk”

  1. I observed the same attack.

    42810 inquiries for *.avenue-escorts.co.uk between
    Mar 6 19:26:10 and Mar 7 04:12:57

    66415 inquiries for *.avenue-escorts.co.uk between
    Mar 12 12:04:56 and Mar 12 23:29:46

    34265 inquiries for *.avenue-escorts.co.uk between
    Mar 13 18:34:16 and Mar 14 01:01:59

    The attacks on 6th and 12th/13th were on different name servers.

    Btw: both ns1.armoraid.com and ns2.armoraid.com point to the same IP.

    Απάντηση
  2. Παράθεμα: dnstop: stay on top of your DNS traffic « Don’t fear the penguin

Σχολιάστε

Εισάγετε τα παρακάτω στοιχεία ή επιλέξτε ένα εικονίδιο για να συνδεθείτε:

Gravatar
Λογότυπο WordPress.com

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό WordPress.com. Αποσύνδεση /  Αλλαγή )

Φωτογραφία Facebook

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Facebook. Αποσύνδεση /  Αλλαγή )

Ακύρωση

Σύνδεση με %s

Αρέσει σε %d bloggers: