random dns queries with random sources

Joe Maimon jmaimon at ttec.com
Wed Feb 19 06:28:38 UTC 2014


Owen DeLong wrote:
>
> On Feb 18, 2014, at 9:48 PM, Joe Maimon <jmaimon at ttec.com> wrote:

>
> This assumes several facts not in evidence:
>
> 1.	It is an attack.
> 2.	It is deliberate
> 3.	There is a target
> 4.	It is more effective than others
>
> On what do you base those assumptions? To me this looks to be far more likely to be someone’s wayward script, experiment, software, tool, etc. doing something it probably isn’t supposed to be doing.

I have found this occurring on unaffiliated open resolvers (that I 
happen to support and that I was able to make the choice to close)

It has been ongoing for a week or so (but not constant). The domain 
names have a pattern but are comprised of components that appear to be 
randomly generated. The source IP addresses for the queries appear to be 
non duplicated and randomly generated.

query logs are available for unicasting to the interested.

Has nobody else seen this?

>
> If it happens to also be gathering the answers or information that the author wants (or appears to be doing so), then the author may well be blissfully ignorant of its wayward behavior towards your servers.
>
> Owen
>
>
>

I would like to figure out how.

Joe





More information about the NANOG mailing list