random dns queries with random sources

Beeman, Davis Davis.Beeman at integratelecom.com
Wed Feb 19 17:08:03 UTC 2014


They are, and dropping them just as fast.  It seems like the last a day or two, and then move on to another domain name.  They are similar enough that the bots probably work off a formula to determine valid requests.

It may be a coincidence, if you believe in those, but this type of C&C traffic started ramping up wildly about a month after the ZeroAccess servers got blocked...  

Davis Beeman | Network Security Engineer | 360.816.3052
Integra 


-----Original Message-----
From: Joe Maimon [mailto:jmaimon at ttec.com] 
Sent: Wednesday, February 19, 2014 08:59
To: Beeman, Davis; North American Networking and Offtopic Gripes List
Subject: Re: random dns queries with random sources



Beeman, Davis wrote:

> rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet.
>
> Davis Beeman
> Network Security Engineer



Somebody must be registering these domain names.

And I should be able to compile a list of the auth servers in question.

Joe



More information about the NANOG mailing list