Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems)
ahebert at pubnix.net
Fri May 10 14:14:37 UTC 2013
On 05/09/13 19:03, Mark Andrews wrote:
> In message <518BD982.60709 at pubnix.net>, Alain Hebert writes:
>> ( Ok, ok, another bad customer =D )
>> Starting today at 5h15m EST...
>> There is a bigger than usual DDoS amplification against the IP's
>> listed below.
>> Granted root servers query is barely 1k while the usual isc.org is
>> 3.5k and this is a "possible" 15Mbps from this one source but still :(
> With a validating resolver
> "dig any . +edns" return a 1872 byte payload.
> "dig any . +dnssec" return a 2030 byte payload.
> (difference is NS RRSIG records)
> Getting the DNSKEY records included isn't hard. Throw a
> single DNSKEY query into the stream once a day/hour
> and it will be cached for 48 hours.
> If you have the SOA cached as well it gets to
> "dig any . +edns" return a 2087 byte payload.
> "dig any . +dnssec" return a 2245 byte payload.
Well during the spamhaus incident I saw some at around 8k.
On another note...
After 18 hours, that "pot" is still receiving ~200pps (down from
800 and 400pps) and its up to 614 IP now...
I still do not see the motive behind this one:
Either someone messed up his botnet and he's stuck on it =D
Could be a rootkit using this server as a DNS server (lots of
targets are hosted Linux in outfit like OVH).
( But again why spamming . IN ANY queries and not cache the results )
And a new query popped up -> doc.gov IN ANY +E, granted I only saw a
few of them.
And a few of the source IP's are gaming forums mostly Minecraft
PS: Reminder, that this server do not actually amplify anything and the
service at that location is not affected.
>> If you're a Tier and wish to track down the *^%$*#@ source ISP's to
>> explain to them the joy of BCP38...
>> Contact me off list, from your corporate email address, and I'll
>> provide you with the IP of that server.
>> ----- IP are targeted for DDoS amplification.
>> <query count during 10 seconds> [query]
>> 2128 . IN ANY +E
>> 3079 . IN ANY +E
>> 2639 . IN ANY +E
>> 2270 . IN ANY +E
>> 2416 . IN ANY +E
>> 2839 . IN ANY +E
>> 2326 . IN ANY +E
>> 1223 . IN ANY +E
>> 2508 . IN ANY +E
>> 2392 . IN ANY +E
>> 1481 . IN ANY +E
>> 1178 . IN ANY +E
>> 2666 . IN ANY +E
>> 1075 . IN ANY +E
>> 1014 . IN ANY +E
>> 1291 . IN ANY +E
>> 1093 . IN ANY +E
>> 1245 . IN ANY +E
>> 1304 . IN ANY +E
>> 1579 . IN ANY +E
>> 1103 . IN ANY +E
>> 1110 . IN ANY +E
>> 1128 . IN ANY +E
>> 1237 . IN ANY +E
>> 1245 . IN ANY +E
>> 1588 . IN ANY +E
>> 1419 . IN ANY +E
>> 1520 . IN ANY +E
>> 1430 . IN ANY +E
>> 1414 . IN ANY +E
>> 1090 . IN ANY +E
>> 1364 . IN ANY +E
>> 1079 . IN ANY +E
>> 1601 . IN ANY +E
>> Alain Hebert ahebert at pubnix.net
>> PubNIX Inc.
>> 50 boul. St-Charles
>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
>> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
More information about the NANOG