random dns queries with random sources

sthaug at nethelp.no sthaug at nethelp.no
Wed Feb 19 09:26:23 UTC 2014


> It has been ongoing for a week or so (but not constant). The domain 
> names have a pattern but are comprised of components that appear to be 
> randomly generated. The source IP addresses for the queries appear to be 
> non duplicated and randomly generated.
> 
> query logs are available for unicasting to the interested.
> 
> Has nobody else seen this?

We've seen it. It is pretty clearly an attack against authoritative
name servers for various domains, using open recursors or proxies to
reflect the queries.

Steinar Haug, AS 2116




More information about the NANOG mailing list