DNS deluge for x.p.ctrc.cc

Estes, Paul pestes at Covad.COM
Fri Feb 24 18:14:51 UTC 2006

Actually, what we are seeing does not appear to be an amplification
attack. It appears to be a request flood from infected machines.

We have anti-spoofing filters on our upstream connections as well as our
subscriber's access lines. The source addresses are not spoofed. They
are valid subscriber source IP's.

Based on some cached entries I have found in other nameservers, CTRC.CC
was apparently hacked and was delegating a number of subdomains to
another nameserver that was issuing the 4K TXT record. The delegation
has now been removed, and the nameserver they were delegated to appears
to be offline.


-----Original Message-----
From: william(at)elan.net [mailto:william at elan.net] 
Sent: Friday, February 24, 2006 9:47 AM
To: Estes, Paul
Cc: nanog at merit.edu
Subject: Re: DNS deluge for x.p.ctrc.cc

On Fri, 24 Feb 2006, Estes, Paul wrote:

> We have recently noticed a deluge of DNS requests for "ANY ANY"

They are trying to abuse similar holes that caused most of us add
"no ip redirects" and "no ip directed broadcast" to routers, but this
time its about dns

> of x.p.ctrc.cc. The requests are coming from thousands of sources,
> mostly our own customers.

Why am I not surprised ....

> There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc.


I don't think this is a hacker-setup domain, probably their dns servers 
were at some point hacked. They are associated with legacy ip block It is also notable that CTRC.CC A record points to

> A google search for x.p.ctrc.cc
> comes up with only 2 hits. One is a DNS log showing references to this
> name. The other one shows that somebody else is seeing the same
> as we are:
> http://weblog.barnet.com.au/edwin/cat_networking.html
> However, this site has the benefit or providing a history that
> had (a week ago) delegated NS record pointing to 321blowjob.com. At
> time, 321blowjob.com's nameserver was responding with a TXT record for
> x.p.ctrc.cc.

> It would appear that ctrc.cc was the victim of some DNS hijacking.
> Whatever malware is attempting to lookup this name, however, is doing
> at a horrific rate. I have some addresses that have made >250000
> requests for this name in a short period of time.
> I was thinking that I could simply put an authoritative zone for
> p.ctrc.cc in our nameservers and return something for the lookups

You might want to consider returning the same thing in lookups as
themselves have for direct A lookups...


More information about the NANOG mailing list