DNS deluge for x.p.ctrc.cc

Ejay Hire ejay.hire at isdn.net
Fri Feb 24 18:30:29 UTC 2006


It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.

Ejay Hire
ISDN-Net Network Engineer

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]
On 
> Behalf Of Estes, Paul
> Sent: Friday, February 24, 2006 11:26 AM
> To: nanog at merit.edu
> Subject: DNS deluge for x.p.ctrc.cc
> 
> We have recently noticed a deluge of DNS requests for "ANY

> ANY" records of x.p.ctrc.cc. The requests are coming from 
> thousands of sources, mostly our own customers. There are 
> currently no records for x.p.ctrc.cc, or even for
p.ctrc.cc. 
> A google search for x.p.ctrc.cc comes up with only 2 hits.

> One is a DNS log showing references to this name. The
other 
> one shows that somebody else is seeing the same behavior
as we are:
> 
>  
> 
> http://weblog.barnet.com.au/edwin/cat_networking.html
> 
>  
> 
> However, this site has the benefit or providing a history 
> that p.ctrc.cc had (a week ago) delegated NS record
pointing 
> to 321blowjob.com. At that time, 321blowjob.com's
nameserver 
> was responding with a TXT record for x.p.ctrc.cc.
> 
>  
> 
> It would appear that ctrc.cc was the victim of some DNS 
> hijacking. Whatever malware is attempting to lookup this 
> name, however, is doing so at a horrific rate. I have some

> addresses that have made >250000 requests for this name in
a 
> short period of time.
> 
>  
> 
> I was thinking that I could simply put an authoritative
zone 
> for p.ctrc.cc in our nameservers and return something for
the 
> lookups, however based on the writeup on the above
mentions 
> blog, I am now not certain this will have any effect. As 
> you'll note, that individual had only 2 machines hitting
his 
> name server, and even though a response was provided to
the 
> lookup, the hosts continued to hammer his access link.
> 
>  
> 
> When the lookup flood occurs, every host starts at the
same 
> time, as can be seen on the graphs of traffic to and load
of 
> our nameservers. It's all or nothing - the flood is either
on 
> or off. There's no background trickle.
> 
>  
> 
> Is anybody else seeing these events?
> 
>  
> 
> --Paul
> 
>  
> 
> 




More information about the NANOG mailing list