[dns-operations] Odd MX queries
Hello Since a few hours we see quite a large volume of MX queries on our TLD as well as 2nd-level name-servers. See attached pictures: dsc-tld-nameserver.png and dsc-2nd-levelnameserver.png One of the more prominent client which sends queries to both nameserver is the IP address 203.45.217.122 (anders51.lnk.telstra.net.) The IP is not listed on a Spamhaus blacklist (http://www.spamhaus.org/query/bl?ip=203.45.217.122). The query details look like this on the TLD nameserver: ip_ttl,src_port,qname,type,msg_id,msg_size,rd 107 ,23173 ,bittorrents24.ch. ,MX ,2 ,34,1 107 ,46272 ,1h8g4qg54n.ch. ,MX ,81 ,31,1 107 ,6066 ,engorgef.ch.,MX ,170 ,29,1 107 ,39264 ,telecool.ch.,MX ,157 ,29,1 107 ,18894 ,babaz.ch. ,MX ,96 ,26,1 107 ,19137 ,badassteens.ch. ,MX ,148 ,32,1 107 ,43440 ,bamiabear.ch. ,MX ,55 ,30,1 107 ,46299 ,mail2reggie.ch. ,MX ,183 ,32,1 107 ,36840 ,beckercap.ch. ,MX ,86 ,30,1 107 ,34205 ,fgaieojkxl.ch. ,MX ,44 ,31,1 107 ,15345 ,hayoz-holzbau.ch.ch.,MX ,144 ,37,1 107 ,33808 ,bibulous.ch.,MX ,133 ,29,1 107 ,6606 ,bcbsnc.ch. ,MX ,46 ,27,1 and like this on the 2nd-level nameserver: ip_ttl,src_port,qname ,type,msg_id,msg_size,rd 107 ,27413 ,rgac2.ethz.ch.,MX ,84 ,31,1 107 ,62537 ,sp052.cern.ch.,MX ,217 ,31,1 106 ,65441 ,sunpdp20.cern.ch. ,MX ,55 ,34,1 107 ,52398 ,hecvsante.ch. ,MX ,172 ,30,1 106 ,20194 ,sunpdp20.cern.ch. ,MX ,149 ,34,1 107 ,45914 ,rgac2.ethz.ch.,MX ,1 ,31,1 107 ,24860 ,sp052.cern.ch.,MX ,117 ,31,1 106 ,50578 ,rgac2.ethz.ch.,MX ,85 ,31,1 106 ,40725 ,sp052.cern.ch.,MX ,70 ,31,1 107 ,48133 ,sunpdp20.cern.ch. ,MX ,53 ,34,1 106 ,3974 ,vxcrna.cern.ch. ,MX ,43 ,32,1 So, its clearly not normal resolver behavior as the query question is not repeated and the RD bit is set (EDNS0 and DO bit is not used/set). The client is using a large number of different domains and so evading DNS-RRL. For example, within 15 minutes 3070 different query-names are used. Within 60 minutes 4716 and within 4 hours 11193 different query-names. The query-name which is repeated most is asked every 6-7 seconds. Has anyone an idea what the source of this traffic pattern is? It's also interesting to note that quite a lot of 2nd-level queries result in NXDOMAIN responses. Best regards, Daniel -- SWITCH Daniel Stirnimann, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 16 24, fax +41 44 268 15 78 daniel.stirnim...@switch.ch, http://www.switch.ch Security-Blog: http://securityblog.switch.ch attachment: dsc-2nd-level-nameserver.pngattachment: dsc-tld-nameserver.png___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
Hi Vernone Has anyone an idea what the source of this traffic pattern is? It's also interesting to note that quite a lot of 2nd-level queries result in NXDOMAIN responses. Which RRL implementation are you using? If it is the BIND9 RRL implementation, then how are the NXDOMAIN responses evading that limit? I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading DNS-RRL on the tld-nameserver where a lot of different query-names and the RCODE is NOERROR. On the 2nd-level name-server the MX query rate is only about 120 qps. I guess it's too few queries to trigger my generous DNS-RRL config. I have response-per-second 20. For example, within 15 minutes 81 different query-names are sent. The domain which is queried the most is used 186 times within 15 minutes. That's way below the DNS-RRL config threshold. However, it's nothing which concerns me. As said, the abusive traffic on the 2nd-level names-server is quite low. On the tld name-server it was different. Sorry, that I was not clear on that. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
On 11.03.13 15:24, Daniel Stirnimann wrote: Has anyone an idea what the source of this traffic pattern is? It's also interesting to note that quite a lot of 2nd-level queries result in NXDOMAIN responses. Someone responded offlist to me. It's one of the messaging bots which is causing this traffic which has a broken resolver. McAfee Labs recently posted a nice summary of the messaging botnets: http://blogs.mcafee.com/mcafee-labs/an-overview-of-messaging-botnets Thanks, Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
From: Daniel Stirnimann daniel.stirnim...@switch.ch I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading DNS-RRL on the tld-nameserver where a lot of different query-names and the RCODE is NOERROR. All of the domains in the first list in your previous message give me NXDOMAIN. How is it evading the the BIND9 RRL referral limit on your TLD server? On the 2nd-level name-server the MX query rate is only about 120 qps. I guess it's too few queries to trigger my generous DNS-RRL config. I have response-per-second 20. For example, within 15 minutes 81 different query-names are sent. The domain which is queried the most is used 186 times within 15 minutes. That's way below the DNS-RRL config threshold. However, it's nothing which concerns me. As said, the abusive traffic on the 2nd-level names-server is quite low. On the tld name-server it was different. Yes, 81 names/15 minutes is only about 0.1 qps. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
On 3/11/13 12:55 PM, Daniel Stirnimann wrote: Has anyone an idea what the source of this traffic pattern is? It's also interesting to note that quite a lot of 2nd-level queries result in NXDOMAIN responses. Someone responded offlist to me. It's one of the messaging bots which is causing this traffic which has a broken resolver. Not always. Sometimes it's a spammer (botnet) trying to distinguish valid harvested e-mail addresses from fake ones, that are generated for reasons of 'list poisoning', such as the ones generated with: http://www.spamhelp.org/harvesterkiller/ http://www.robietherobot.com/spamfight.htm http://zzzy.freeshell.org/guestbook/ and similar ones. A typical example of a 'cat and mouse game'... Regards, -- Marco ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
On 11.03.13 18:07, Vernon Schryver wrote: From: Daniel Stirnimann daniel.stirnim...@switch.ch I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading DNS-RRL on the tld-nameserver where a lot of different query-names and the RCODE is NOERROR. All of the domains in the first list in your previous message give me NXDOMAIN. How is it evading the the BIND9 RRL referral limit on your TLD server? Good question. One error I made is that there are lots of different IP addresses sending these queries. The IP address 203.45.217.122 which I referred to in my original post sends about 50 qps but there are roughly 5800 other IPs sending this traffic as well. Some only one query within 15 minute but most something between 1 qps and 40 qps. The few IP addresses which send more then my threshold (response-per-second 20) are rate-limited. When I looked at the DSC rcode graph it seemed like the same amount of queries were answered. However, in fact about 10 up to 80 IPs were rate limited at any given time. I would have gotten a better rate-limiting with a lower threshold but in the end the botnet is probably just too large. For example, within 15 minutes 81 different query-names are sent. The domain which is queried the most is used 186 times within 15 minutes. That's way below the DNS-RRL config threshold. However, it's nothing which concerns me. As said, the abusive traffic on the 2nd-level names-server is quite low. On the tld name-server it was different. Yes, 81 names/15 minutes is only about 0.1 qps. Sorry, bad wording from myself. 81 unique query-names. The end result is higher then 0.1 qps but still irrelevant. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Odd MX queries
From: Daniel Stirnimann daniel.stirnim...@switch.ch One error I made is that there are lots of different IP addresses sending these queries. The IP address 203.45.217.122 which I referred to in my original post sends about 50 qps but there are roughly 5800 other IPs sending this traffic as well. Some only one query within 15 minute but most something between 1 qps and 40 qps. That's interesting. The few IP addresses which send more then my threshold (response-per-second 20) are rate-limited. That's a relief. If I were eager to repeat the very popular error of confusing guesses with knowledge and facts, I might expound on botnets and spam and claim that the increase in spam backscatter in my personal mailbox and the ~7% increase in spam reported to DCC are both real and related to what you are seeing. http://www.rhyolite.com/dcc/graphs/?BIG=1end=1363032000resol=1m http://www.rhyolite.com/dcc/graphs/?resol=1wend=1363032000BIG=1 http://www.rhyolite.com/dcc/graphs/?resol=1wend=1361822400BIG=1 However, I've learned from many years of watching others make authoritative sounding declarations about the what, where, why, and how of network evil, and be immediately or sooner shown to be full of negative clues (facts that are false). Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
