RE: random dns queries with random sources
I am late to this train, but it appears no one else has brought this up. It is a DNS tunneling setup, not an attack. I have been dealing with one of these lately as well. They were using some open resolvers in my network to reflect, but the random hostnames in the queries are tunneled traffic or keywords. The original sources of the traffic are probably members of a botnet, and this is being used as a sneaky CC method. Due to the tiny amount of data you can send in the DNS query name field, this will sort of look like an attack, because they have to send thousands of queries to get anything done. They are not attacking the authoritative name servers in those domains, as has been suggested, rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Tuesday, February 18, 2014 19:08 To: North American Networking and Offtopic Gripes List Subject: random dns queries with random sources Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7)
RE: random dns queries with random sources
They are, and dropping them just as fast. It seems like the last a day or two, and then move on to another domain name. They are similar enough that the bots probably work off a formula to determine valid requests. It may be a coincidence, if you believe in those, but this type of CC traffic started ramping up wildly about a month after the ZeroAccess servers got blocked... Davis Beeman | Network Security Engineer | 360.816.3052 Integra -Original Message- From: Joe Maimon [mailto:jmai...@ttec.com] Sent: Wednesday, February 19, 2014 08:59 To: Beeman, Davis; North American Networking and Offtopic Gripes List Subject: Re: random dns queries with random sources Beeman, Davis wrote: rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer Somebody must be registering these domain names. And I should be able to compile a list of the auth servers in question. Joe
RE: IPv6 Ignorance
Orbits may not be important to this calculation, but just doing some quick head math, I believe large skyscrapers could already have close to this concentration of addresses, if you reduce them down to flat earth surface area. The point here is that breaking out the math based on the surface area of the earth is silly, as we do not utilize the surface of the earth in a flat manner... Davis Beeman On Mon, Sep 17, 2012 at 11:27:04AM -0700, Owen DeLong wrote: What technology are you planning to deploy that will consume more than 2 addresses per square cm? Easy. Think volume (as in: orbit), and think um^3 for a functional computers ;) I meant real-world application. Orbits are limited due to the required combination of speed and altitude. There are a limited number of achievable altitudes and collision avoidance also creates interesting problems in time-slotting for orbits which are not geostationary. Geostationary orbits are currently limited to one object per degree of earth surface, and even at 4x that, you could give every satellite a /48 and still not burn through a /32. Owen
RE: IPv6 Ignorance
On Sep 17, 2012, at 08:18 , Matthew Kaufman matt...@matthew.at wrote: On 9/17/2012 5:28 AM, John Mitchell wrote: I think people forget how humongous the v6 space is... Remember that the address space is 2^128 (or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses) to put the in perspective (and a great sample that explained to me how large it was, you will still get 667 quadrillion address per square millimetre of the Earth's Surface. Yes. But figure an average subnet has, what, maybe 5 hosts on it? (Sure, there's some bigger ones, but a whole lot of my router, my PC, and maybe my printer networks too. So even if you could use all the top bits (which you can't, as many combinations are reserved), that's more like 92,233,720,368,547,758,080. And if you lop off the top three bits and just count the space currently assigned to Global Unicast, that's 11,529,215,046,068,469,760. Which is 0.02 per square mm of the earth's surface. Or just over 2 per square centimeter. Powers of two get big fast... but they get small fast too. Matthew Kaufman What technology are you planning to deploy that will consume more than 2 addresses per square cm? Owen http://xkcd.com/865/ -Davis
RE: Comcast 1, Verizon 0 [was: Comcast vs. Verizon for repair methodologies]
Whatever you do, no one let on that people can get issues like this fixed by posting to NANOG... this list will be flooded in a matter of hours... Davis Beeman -Original Message- From: Christoph Blecker [mailto:cblec...@gmail.com] Sent: Monday, August 20, 2012 14:27 To: Patrick W. Gilmore Cc: NANOG list Subject: Re: Comcast 1, Verizon 0 [was: Comcast vs. Verizon for repair methodologies] Always good to know that *somebody* is listening! Cheers, Christoph On Mon, Aug 20, 2012 at 2:22 PM, Patrick W. Gilmore patr...@ianai.net wrote: Comcast has already contacted me to fix this up. -- TTFN, patrick On Aug 20, 2012, at 16:12 , Patrick W. Gilmore patr...@ianai.net wrote: Given the recent VZ thread, I thought I'd show why my new house has crap Internet. The story: A piece of underground cable went bad. The techs didn't pull new underground cable. They decided it was better to do it arial (if you can call 2 feet arial). They took apart the two pedestals on either side of the break and ran a new strand of RG6 (yes, the same stuff you use inside your home, not the outside-plant rated stuff) tied to trees with rope. http://ianai.smugmug.com/BostonPix/2012/Comcast-Atherton-Street These pedestals have looked like this for months apparently. I called the 800 # and complained, they rolled a truck. The guy didn't even come in my house, just gave me his supervisor's number and said that he's a home tech, the outside plant guys are the problem and he can't fix it. A second guy rolled up while we were chatting and told me he had a call around the block for the same thing. They've been taking complaints about this for months and are as tired of it as we are. I assured them I was more tired of it, given he was getting paid while I was paying, but I understood their situation. Of course, since the other broadband option at my house is 1 Mbps Verizon DSL, I don't have much leverage. :( -- TTFN, patrick P.S. Worst part is ATT sux there too, so I have a picocell - which runs over the Comcast cable mode
