I've suspended this hostname: 2012-09-13 18:20:26 2,517,331 0 ki.ro.lt TXT "SOMOSANONYMOUS!!SOM...
Thanks for the note. I have noticed more creations of these large TXT records in the last year, which to me appear exclusively created for reflection attack from what I can tell - (maybe even from the same individual). Thanks for the note. Josh L. Aaron Kaplan ([email protected]) @ Fri, Sep 14, 2012 at 02:34:00PM +0200 wrote : > From: L. Aaron Kaplan <[email protected]> > Date: Fri, 14 Sep 2012 14:34:00 +0200 > To: [email protected] > X-Mailer: Apple Mail (2.1278) > X-Spam-Status: No > Cc: Kriegisch Adi <[email protected]> > Subject: [dns-operations] ANONS reflection attack? > > > Dear gents and YLs, > > In an ISP network that I am taking care of in my spare time, we are seeing > lots of TXT requests for "ki.ro.lt" to some open recursive nameservers (which > we are trying to shot down, but that's not so easy with dnsmasq and > distributed Wi-Fi boxes) > Are you seeing similar attacks at the moment? > > > $ dig @some_nameserver -t txt ki.ro.lt > ;; Truncated, retrying in TCP mode. > > ; <<>> DiG 9.7.3 <<>> @some_nameserver-t txt ki.ro.lt > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57311 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ki.ro.lt. IN TXT > > ;; ANSWER SECTION: > ki.ro.lt. 113 IN TXT > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > "SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!!SOMOSANONYMOUS!" > > ;; Query time: 110 msec > ;; SERVER: 193.238.157.16#53(193.238.157.16) > ;; WHEN: Fri Sep 14 12:57:24 2012 > ;; MSG SIZE rcvd: 3878 > > --- > // CERT Austria > // L. Aaron Kaplan <[email protected]> > // T: +43 1 505 64 16 78 > // http://www.cert.at > // Eine Initiative der NIC.at Internet Verwaltungs- und Betriebs GmbH > // http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg > > > > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Joshua Anderson Senior Admin @ FreeDNS.afraid.org Now servicing 1,176,874 members and 95,119 domains. Currently processing 3,200 DNS queries per second. The highest compliment we could receive would be a premium membership. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
