random dns queries with random sources

sthaug at nethelp.no sthaug at nethelp.no
Wed Feb 19 09:18:23 UTC 2014


> Premature send - I meant to add 'Or against the authoritative servers for 5kkx.com?'
> 
> We've been seeing a spate of reflected (not amplified) DNS attacks against various authoritative servers in Europe for the past week or so, bounced through some type of consumer DSL broadband CPE with an open DNS forwarded on the WAN interface (don't know the make/model, but it was supplied by the broadband operators to the customers), on some European broadband access networks.  

Pretty clearly an attack against various authoritative servers. Right
now I'm seeing attacks against the following domains / name servers:

comedc.com      NS f1g1ns1.dnspod.net vip1.zndns.com v1s1.xundns.com
jd176.com       NS ns{1,2}.dnsabc-g.com
x7ok.com        NS safe.qycn.{com,org,net,cn}
bdhope.com      NS ns{1,2}.dnsabc-b.com
yg521.com       NS dns{1,2,3,4,5,6}.iidns.com
56bj56.com      NS ns{1,2}.dnsabc-f.com

This is all detected in AS 2116 - unfortunately we have our share of
customers with open resolvers  / broadband routers with DNS proxies
open towards the WAN side.

Steinar Haug, AS 2116



More information about the NANOG mailing list