nanog mailing list archives
Re: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems)
From: Alain Hebert <ahebert () pubnix net>
Date: Fri, 10 May 2013 10:14:37 -0400
On 05/09/13 19:03, Mark Andrews wrote:
In message <518BD982.60709 () pubnix net>, Alain Hebert writes:( Ok, ok, another bad customer =D ) Starting today at 5h15m EST... There is a bigger than usual DDoS amplification against the IP's listed below. Granted root servers query is barely 1k while the usual isc.org is 3.5k and this is a "possible" 15Mbps from this one source but still :(With a validating resolver "dig any . +edns" return a 1872 byte payload. "dig any . +dnssec" return a 2030 byte payload. (difference is NS RRSIG records) Getting the DNSKEY records included isn't hard. Throw a single DNSKEY query into the stream once a day/hour and it will be cached for 48 hours. If you have the SOA cached as well it gets to "dig any . +edns" return a 2087 byte payload. "dig any . +dnssec" return a 2245 byte payload. Mark
Well during the spamhaus incident I saw some at around 8k.
On another note...
After 18 hours, that "pot" is still receiving ~200pps (down from
800 and 400pps) and its up to 614 IP now...
I still do not see the motive behind this one:
Either someone messed up his botnet and he's stuck on it =D
Could be a rootkit using this server as a DNS server (lots of
targets are hosted Linux in outfit like OVH).
( But again why spamming . IN ANY queries and not cache the results )
And a new query popped up -> doc.gov IN ANY +E, granted I only saw a
few of them.
And a few of the source IP's are gaming forums mostly Minecraft
oriented.
PS: Reminder, that this server do not actually amplify anything and the
service at that location is not affected.
PS: If you're a Tier and wish to track down the *^%$*#@ source ISP's to explain to them the joy of BCP38... Contact me off list, from your corporate email address, and I'll provide you with the IP of that server. ----- IP are targeted for DDoS amplification. Format: <IP> <query count during 10 seconds> [query] 94.23.42.215 2128 . IN ANY +E 208.98.25.130 3079 . IN ANY +E 188.134.46.102 2639 . IN ANY +E 108.61.239.105 2270 . IN ANY +E 95.129.166.186 2416 . IN ANY +E 176.9.210.53 2839 . IN ANY +E 145.53.65.130 2326 . IN ANY +E 99.198.100.86 1223 . IN ANY +E 37.59.72.74 2508 . IN ANY +E 199.83.133.42 2392 . IN ANY +E 74.63.248.210 1481 . IN ANY +E 173.199.68.62 1178 . IN ANY +E 82.80.17.4 2666 . IN ANY +E 188.162.228.50 1075 . IN ANY +E 79.225.4.183 1014 . IN ANY +E 78.108.79.171 1291 . IN ANY +E 31.53.123.192 1093 . IN ANY +E 90.3.194.151 1245 . IN ANY +E 27.50.70.191 1304 . IN ANY +E 198.7.63.39 1579 . IN ANY +E 81.220.28.129 1103 . IN ANY +E 198.105.218.12 1110 . IN ANY +E 86.160.85.37 1128 . IN ANY +E 184.95.35.194 1237 . IN ANY +E 134.255.237.244 1245 . IN ANY +E 178.32.36.67 1588 . IN ANY +E 204.45.55.8 1419 . IN ANY +E 95.211.209.182 1520 . IN ANY +E 80.192.224.22 1430 . IN ANY +E 24.244.248.8 1414 . IN ANY +E 79.71.69.165 1090 . IN ANY +E 24.244.248.57 1364 . IN ANY +E 82.132.226.216 1079 . IN ANY +E 69.162.97.99 1601 . IN ANY +E ----- Alain Hebert ahebert () pubnix net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Current thread:
- Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Alain Hebert (May 09)
- RE: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Warren Bailey (May 09)
- Re: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Alain Hebert (May 09)
- Re: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Mark Andrews (May 09)
- Re: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Alain Hebert (May 10)
- RE: Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems) Warren Bailey (May 09)