Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems)

Alain Hebert ahebert at pubnix.net
Fri May 10 14:14:37 UTC 2013


On 05/09/13 19:03, Mark Andrews wrote:
> In message <518BD982.60709 at pubnix.net>, Alain Hebert writes:
>>     ( Ok, ok, another bad customer =D )
>>
>> Starting today at 5h15m EST...
>>
>>     There is a bigger than usual DDoS amplification against the IP's
>> listed below.
>>
>>     Granted root servers query is barely 1k while the usual isc.org is
>> 3.5k and this is a "possible" 15Mbps from this one source but still :(
> 	With a validating resolver
>
> 	"dig any . +edns" return a 1872 byte payload.
> 	"dig any . +dnssec" return a 2030 byte payload.
> 	(difference is NS RRSIG records)
>
> 	Getting the DNSKEY records included isn't hard.  Throw a
> 	single DNSKEY query into the stream once a day/hour
> 	and it will be cached for 48 hours.
>
> 	If you have the SOA cached as well it gets to
>
> 	"dig any . +edns" return a 2087 byte payload.
> 	"dig any . +dnssec" return a 2245 byte payload.
>  
> 	Mark

Well during the spamhaus incident I saw some at around 8k.

On another note...

    After 18 hours,  that "pot" is still receiving ~200pps (down from
800 and 400pps) and its up to 614 IP now...

I still do not see the motive behind this one:

    Either someone messed up his botnet and he's stuck on it =D

    Could be a rootkit using this server as a DNS server (lots of
targets are hosted Linux in outfit like OVH).
    ( But again why spamming . IN ANY queries and not cache the results )

    And a new query popped up -> doc.gov IN ANY +E, granted I only saw a
few of them.

    And a few of the source IP's are gaming forums mostly Minecraft
oriented.

PS: Reminder, that this server do not actually amplify anything and the
service at that location is not affected.

>
>> PS:
>>
>>     If you're a Tier and wish to track down the *^%$*#@ source ISP's to
>> explain to them the joy of BCP38...
>>
>>     Contact me off list, from your corporate email address, and I'll
>> provide you with the IP of that server.
>>
>> ----- IP are targeted for DDoS amplification.
>>
>> Format:
>>
>> <IP>
>>     <query count during 10 seconds> [query]
>>
>> 94.23.42.215
>>         2128 . IN ANY +E
>> 208.98.25.130
>>         3079 . IN ANY +E
>> 188.134.46.102
>>         2639 . IN ANY +E
>> 108.61.239.105
>>         2270 . IN ANY +E
>> 95.129.166.186
>>         2416 . IN ANY +E
>> 176.9.210.53
>>         2839 . IN ANY +E
>> 145.53.65.130
>>         2326 . IN ANY +E
>> 99.198.100.86
>>         1223 . IN ANY +E
>> 37.59.72.74
>>         2508 . IN ANY +E
>> 199.83.133.42
>>         2392 . IN ANY +E
>> 74.63.248.210
>>         1481 . IN ANY +E
>> 173.199.68.62
>>         1178 . IN ANY +E
>> 82.80.17.4
>>         2666 . IN ANY +E
>> 188.162.228.50
>>         1075 . IN ANY +E
>> 79.225.4.183
>>         1014 . IN ANY +E
>> 78.108.79.171
>>         1291 . IN ANY +E
>> 31.53.123.192
>>         1093 . IN ANY +E
>> 90.3.194.151
>>         1245 . IN ANY +E
>> 27.50.70.191
>>         1304 . IN ANY +E
>> 198.7.63.39
>>         1579 . IN ANY +E
>> 81.220.28.129
>>         1103 . IN ANY +E
>> 198.105.218.12
>>         1110 . IN ANY +E
>> 86.160.85.37
>>         1128 . IN ANY +E
>> 184.95.35.194
>>         1237 . IN ANY +E
>> 134.255.237.244
>>         1245 . IN ANY +E
>> 178.32.36.67
>>         1588 . IN ANY +E
>> 204.45.55.8
>>         1419 . IN ANY +E
>> 95.211.209.182
>>         1520 . IN ANY +E
>> 80.192.224.22
>>         1430 . IN ANY +E
>> 24.244.248.8
>>         1414 . IN ANY +E
>> 79.71.69.165
>>         1090 . IN ANY +E
>> 24.244.248.57
>>         1364 . IN ANY +E
>> 82.132.226.216
>>         1079 . IN ANY +E
>> 69.162.97.99
>>         1601 . IN ANY +E
>>
>> -----
>> Alain Hebert                                ahebert at pubnix.net   
>> PubNIX Inc.        
>> 50 boul. St-Charles
>> P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
>> Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443
>>
>>




More information about the NANOG mailing list