random dns queries with random sources

Beeman, Davis Davis.Beeman at integratelecom.com
Wed Feb 19 15:57:36 UTC 2014


I am late to this train, but it appears no one else has brought this up.  It is a DNS tunneling setup, not an attack.  I have been dealing with one of these lately as well.  They were using some open resolvers in my network to reflect, but the "random" hostnames in the queries are tunneled traffic or keywords.  The original sources of the traffic are probably members of a botnet, and this is being used as a sneaky C&C method.   Due to the tiny amount of data you can send in the DNS query name field, this will sort of look like an attack, because they have to send thousands of queries to get anything done.  

They are not attacking the authoritative name servers in those domains, as has been suggested, rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. 

Davis Beeman
Network Security Engineer


-----Original Message-----
From: Joe Maimon [mailto:jmaimon at ttec.com] 
Sent: Tuesday, February 18, 2014 19:08
To: North American Networking and Offtopic Gripes List
Subject: random dns queries with random sources

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels.

But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc...

Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any significant frequency)

What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)




More information about the NANOG mailing list