DNS deluge for x.p.ctrc.cc
Ejay Hire
ejay.hire at isdn.net
Fri Feb 24 18:30:29 UTC 2006
It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.
Ejay Hire
ISDN-Net Network Engineer
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]
On
> Behalf Of Estes, Paul
> Sent: Friday, February 24, 2006 11:26 AM
> To: nanog at merit.edu
> Subject: DNS deluge for x.p.ctrc.cc
>
> We have recently noticed a deluge of DNS requests for "ANY
> ANY" records of x.p.ctrc.cc. The requests are coming from
> thousands of sources, mostly our own customers. There are
> currently no records for x.p.ctrc.cc, or even for
p.ctrc.cc.
> A google search for x.p.ctrc.cc comes up with only 2 hits.
> One is a DNS log showing references to this name. The
other
> one shows that somebody else is seeing the same behavior
as we are:
>
>
>
> http://weblog.barnet.com.au/edwin/cat_networking.html
>
>
>
> However, this site has the benefit or providing a history
> that p.ctrc.cc had (a week ago) delegated NS record
pointing
> to 321blowjob.com. At that time, 321blowjob.com's
nameserver
> was responding with a TXT record for x.p.ctrc.cc.
>
>
>
> It would appear that ctrc.cc was the victim of some DNS
> hijacking. Whatever malware is attempting to lookup this
> name, however, is doing so at a horrific rate. I have some
> addresses that have made >250000 requests for this name in
a
> short period of time.
>
>
>
> I was thinking that I could simply put an authoritative
zone
> for p.ctrc.cc in our nameservers and return something for
the
> lookups, however based on the writeup on the above
mentions
> blog, I am now not certain this will have any effect. As
> you'll note, that individual had only 2 machines hitting
his
> name server, and even though a response was provided to
the
> lookup, the hosts continued to hammer his access link.
>
>
>
> When the lookup flood occurs, every host starts at the
same
> time, as can be seen on the graphs of traffic to and load
of
> our nameservers. It's all or nothing - the flood is either
on
> or off. There's no background trickle.
>
>
>
> Is anybody else seeing these events?
>
>
>
> --Paul
>
>
>
>
More information about the NANOG
mailing list