DNS deluge for x.p.ctrc.cc

william(at)elan.net william at elan.net
Fri Feb 24 17:46:35 UTC 2006


On Fri, 24 Feb 2006, Estes, Paul wrote:

> We have recently noticed a deluge of DNS requests for "ANY ANY" records

They are trying to abuse similar holes that caused most of us add
"no ip redirects" and "no ip directed broadcast" to routers, but this
time its about dns

> of x.p.ctrc.cc. The requests are coming from thousands of sources,
> mostly our own customers.

Why am I not surprised ....

> There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc.

http://www.completewhois.com/cgi-bin/whois.cgi?query=28242102&options=retrieve

I don't think this is a hacker-setup domain, probably their dns servers 
were at some point hacked. They are associated with legacy ip block
192.238.16.0/21. It is also notable that CTRC.CC A record points to
192.168.202.72

> A google search for x.p.ctrc.cc
> comes up with only 2 hits. One is a DNS log showing references to this
> name. The other one shows that somebody else is seeing the same behavior
> as we are:
>
> http://weblog.barnet.com.au/edwin/cat_networking.html
>
> However, this site has the benefit or providing a history that p.ctrc.cc
> had (a week ago) delegated NS record pointing to 321blowjob.com. At that
> time, 321blowjob.com's nameserver was responding with a TXT record for
> x.p.ctrc.cc.

> It would appear that ctrc.cc was the victim of some DNS hijacking.
> Whatever malware is attempting to lookup this name, however, is doing so
> at a horrific rate. I have some addresses that have made >250000
> requests for this name in a short period of time.
>
> I was thinking that I could simply put an authoritative zone for
> p.ctrc.cc in our nameservers and return something for the lookups

You might want to consider returning the same thing in lookups as ctrc.cc 
themselves have for direct A lookups...
,
> however based on the writeup on the above mentions blog, I am now not
> certain this will have any effect. As you'll note, that individual had
> only 2 machines hitting his name server, and even though a response was
> provided to the lookup, the hosts continued to hammer his access link.
>
> When the lookup flood occurs, every host starts at the same time, as can
> be seen on the graphs of traffic to and load of our nameservers. It's
> all or nothing - the flood is either on or off. There's no background
> trickle.
>
> Is anybody else seeing these events?
>
> --Paul



More information about the NANOG mailing list