Dear gents and YLs, In an ISP network that I am taking care of in my spare time, we are seeing lots of TXT requests for "ki.ro.lt" to some open recursive nameservers (which we are trying to shot down, but that's not so easy with dnsmasq and distributed Wi-Fi boxes) Are you seeing similar attacks at the moment?
$ dig @some_nameserver -t txt ki.ro.lt ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.3 <<>> @some_nameserver-t txt ki.ro.lt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57311 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ki.ro.lt. IN TXT ;; ANSWER SECTION: ki.ro.lt. 113 IN TXT "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" ;; Query time: 110 msec ;; SERVER: 193.238.157.16#53(193.238.157.16) ;; WHEN: Fri Sep 14 12:57:24 2012 ;; MSG SIZE rcvd: 3878 --- // CERT Austria // L. Aaron Kaplan <[email protected]> // T: +43 1 505 64 16 78 // http://www.cert.at // Eine Initiative der NIC.at Internet Verwaltungs- und Betriebs GmbH // http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
