DNS attack avenue-escorts.co.uk

Last night (06 Mar 2009, 18:00 – 21:00 GMT) all our DNS servers were hit by thoudands of queries per minute like these..

client xx.1.178.144#11332: query: XtrkjA.avenue-escorts.co.uk IN NS +
client xx.1.34.160#1024: query: PupxpWqaCy.avenue-escorts.co.uk IN NS +
client xx.92.137.28#32768: query: GWgtomQeLZSDdris.avenue-escorts.co.uk IN NS +
client xx.1.83.145#1025: query: nBgoxan.avenue-escorts.co.uk IN NS +

All queries were from legit clients, that were allowed recursion (so now we know, the number of zombies lurking in our network is quite large)..

I had to declare the authoritative NSs for avenue-escorts.co.uk as bogus in all our NSs, thus stopping all outgoing queries to them (ref). The queries from clients kept hitting our NSs, but since no recursion was performed the load dropped.. Queries stopped about an hour after the fix.

Anyone else seen something similar on their NSs ?

dnsgraph_day

dnsgraph_day_rr

Advertisements

Συντάκτης: Sotiris Tsimbonis

I work as a Systems Administrator in Forthnet. All posts in this blog do NOT represent my employer's views.

2 thoughts on “DNS attack avenue-escorts.co.uk”

  1. I observed the same attack.

    42810 inquiries for *.avenue-escorts.co.uk between
    Mar 6 19:26:10 and Mar 7 04:12:57

    66415 inquiries for *.avenue-escorts.co.uk between
    Mar 12 12:04:56 and Mar 12 23:29:46

    34265 inquiries for *.avenue-escorts.co.uk between
    Mar 13 18:34:16 and Mar 14 01:01:59

    The attacks on 6th and 12th/13th were on different name servers.

    Btw: both ns1.armoraid.com and ns2.armoraid.com point to the same IP.

Σχολιάστε

Εισάγετε τα παρακάτω στοιχεία ή επιλέξτε ένα εικονίδιο για να συνδεθείτε:

Λογότυπο WordPress.com

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό WordPress.com. Αποσύνδεση / Αλλαγή )

Φωτογραφία Twitter

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Twitter. Αποσύνδεση / Αλλαγή )

Φωτογραφία Facebook

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Facebook. Αποσύνδεση / Αλλαγή )

Φωτογραφία Google+

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Google+. Αποσύνδεση / Αλλαγή )

Σύνδεση με %s