random dns queries with random sources
Davis.Beeman at integratelecom.com
Wed Feb 19 17:08:03 UTC 2014
They are, and dropping them just as fast. It seems like the last a day or two, and then move on to another domain name. They are similar enough that the bots probably work off a formula to determine valid requests.
It may be a coincidence, if you believe in those, but this type of C&C traffic started ramping up wildly about a month after the ZeroAccess servers got blocked...
Davis Beeman | Network Security Engineer | 360.816.3052
From: Joe Maimon [mailto:jmaimon at ttec.com]
Sent: Wednesday, February 19, 2014 08:59
To: Beeman, Davis; North American Networking and Offtopic Gripes List
Subject: Re: random dns queries with random sources
Beeman, Davis wrote:
> rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet.
> Davis Beeman
> Network Security Engineer
Somebody must be registering these domain names.
And I should be able to compile a list of the auth servers in question.
More information about the NANOG