random dns queries with random sources

Pavel Zeleny pgreen at seznam.cz
Thu Feb 20 13:57:53 UTC 2014


Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:

> 
> Joe Maimon wrote:
> 
> > What is the purpose of this?
...
> 
> 						Masataka Ohta
> 

Hi guys,
for a second, have you any clue how to block this traffic on DNS server
side? As our company operates recursive resolvers for our customers, we can
see this weird traffic concentrated in our logs. It started Feb 3 about
16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source
IP addresses of our customers, and they always looks like
[randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to
block it manually one by one.
We suspect some kind of botnet, because attack wave with new SLD's starts at
the same time, coming from broad range of valid non-spoofed source IP
addresses. Content of UDP packets belonging to this traffic doesn't seem to
have any identical pattern.

Any ideas are highly appreciated.
Thank you!

Pavel Zeleny




More information about the NANOG mailing list