Last night (06 Mar 2009, 18:00 – 21:00 GMT) all our DNS servers were hit by thoudands of queries per minute like these..
client xx.1.178.144#11332: query: XtrkjA.avenue-escorts.co.uk IN NS +
client xx.1.34.160#1024: query: PupxpWqaCy.avenue-escorts.co.uk IN NS +
client xx.92.137.28#32768: query: GWgtomQeLZSDdris.avenue-escorts.co.uk IN NS +
client xx.1.83.145#1025: query: nBgoxan.avenue-escorts.co.uk IN NS +
All queries were from legit clients, that were allowed recursion (so now we know, the number of zombies lurking in our network is quite large)..
I had to declare the authoritative NSs for avenue-escorts.co.uk as bogus in all our NSs, thus stopping all outgoing queries to them (ref). The queries from clients kept hitting our NSs, but since no recursion was performed the load dropped.. Queries stopped about an hour after the fix.
Anyone else seen something similar on their NSs ?
2 Replies to “DNS attack avenue-escorts.co.uk”
I observed the same attack.
42810 inquiries for *.avenue-escorts.co.uk between
Mar 6 19:26:10 and Mar 7 04:12:57
66415 inquiries for *.avenue-escorts.co.uk between
Mar 12 12:04:56 and Mar 12 23:29:46
34265 inquiries for *.avenue-escorts.co.uk between
Mar 13 18:34:16 and Mar 14 01:01:59
The attacks on 6th and 12th/13th were on different name servers.
Btw: both ns1.armoraid.com and ns2.armoraid.com point to the same IP.