random dns queries with random sources

Dale Rumph dale.rumph at gmail.com
Wed Feb 19 16:11:35 UTC 2014


Davis,

Having seen this in the past, and managing both open resolvers and
authoritative servers for several large eyeball networks, I think your
assumption is correct this definitely smells like C&C traffic being handled
via DNS.

Just my 2c - YMMV - All sales final, As is

- Dale Rumph
- Network Engineer/Security Consultant
On Feb 19, 2014 10:58 AM, "Beeman, Davis" <Davis.Beeman at integratelecom.com>
wrote:

> I am late to this train, but it appears no one else has brought this up.
>  It is a DNS tunneling setup, not an attack.  I have been dealing with one
> of these lately as well.  They were using some open resolvers in my network
> to reflect, but the "random" hostnames in the queries are tunneled traffic
> or keywords.  The original sources of the traffic are probably members of a
> botnet, and this is being used as a sneaky C&C method.   Due to the tiny
> amount of data you can send in the DNS query name field, this will sort of
> look like an attack, because they have to send thousands of queries to get
> anything done.
>
> They are not attacking the authoritative name servers in those domains, as
> has been suggested, rather the authoritative name server in these domains
> is the rouge DNS server in use by the bad actor running a botnet.
>
> Davis Beeman
> Network Security Engineer
>
>
> -----Original Message-----
> From: Joe Maimon [mailto:jmaimon at ttec.com]
> Sent: Tuesday, February 18, 2014 19:08
> To: North American Networking and Offtopic Gripes List
> Subject: random dns queries with random sources
>
> Hey all,
>
> DNS amplification spoofed source attacks, I get that. I even thought I was
> getting mitigation down to acceptable levels.
>
> But now this. At different times during the previous days and on different
> resolvers, routers with proxy turned on, etc...
>
> Thousand of queries with thousands of source ip addresses.
>
> According to my logs, sources are not being repeated (or not with any
> significant frequency)
>
> What is the purpose of this?
>
> 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
> swe.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190:
> query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924:
> query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query:
> uehkaiy.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000:
> query: yqv.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585:
> query: e.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query:
> bfpofpj.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316:
> query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265:
> query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query:
> ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093:
> query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822:
> query: ebb.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108:
> query: l.5kkx.com IN A + (66.199.132.7)
>
>
>


More information about the NANOG mailing list