Wednesday, June 26, 2013

Ecatel a big source of *.DirectedAt.Asia

Often I see very little traffic on my DNS server. The advantage of this is that it is a lot easier to spot 'discovery queries'. With these queries I mean that  booters or stressers are looking for Open DNS servers to abuse.

A Project of a security researcher that does this for good is the Openresolverproject.org.

An example of a booter is the person running the different .asia and .us attacks.
Such as :
-  MyDnsScan.Us
-  Nukes / dongs.DirectedAt.Asia
-  Dd0s.Asia

The person responsible for these domains has been exposed in the following blog post: Dns Amplification Attacks, Booter services and who's behind them

Around the same time this blog was posted I was digging around to find out when I first started seeing these .Asia domains and if I could find a discovery query.

And I did!

The first .asia activity I observed on one of my nodes was on April 25th 2013.

25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)

Looking at this IP a bit more I notieced one previous request:

25-Apr-2013 12:xx client 89.248.160.192#44330 (.): query: . IN ANY +E (w.x.y.z)

This IP is from the Dutch hosting provider Ecatel and this is not the only IP from them either. Looking at all the unique IPs and their AS number that performed .asia requests you see a clear pattern.

Count IP                          ISP
36 50.7.190.60 AS5580 Atrato IP Networks
5 84.246.124.136 AS34568 ConnectingBytes GmbH
9 192.151.149.90 AS33387 DataShack, LC
8 192.187.102.74 AS33387 DataShack, LC
3 160.83.8.79 AS8373 Deutsche Bank AG
23 89.248.168.94 AS29073 Ecatel Network   
15 89.248.160.192 AS29073 Ecatel Network   
11 89.248.172.173 AS29073 Ecatel Network   
7 94.102.63.20 AS29073 Ecatel Network   
6 93.174.93.72 AS29073 Ecatel Network   
5 89.248.171.125 AS29073 Ecatel Network   
4 94.102.52.95 AS29073 Ecatel Network   
4 94.102.63.22 AS29073 Ecatel Network   
3 89.248.168.178 AS29073 Ecatel Network   
2 80.82.64.25 AS29073 Ecatel Network   
2 93.174.93.219 AS29073 Ecatel Network   
1 80.82.64.235 AS29073 Ecatel Network   
1 80.82.65.153 AS29073 Ecatel Network   
1 80.82.66.27 AS29073 Ecatel Network   
1 89.248.168.170 AS29073 Ecatel Network   
1 89.248.168.219 AS29073 Ecatel Network   
1 93.174.93.45 AS29073 Ecatel Network   
1 93.174.93.98 AS29073 Ecatel Network   
1 94.102.49.2 AS29073 Ecatel Network   
1 94.102.56.219 AS29073 Ecatel Network   
56 178.18.19.140 AS18779 EGIHosting  
36 178.18.26.213 AS18779 EGIHosting  
7 178.18.17.16 AS18779 EGIHosting  
1 178.18.26.76 AS18779 EGIHosting  
1 79.110.83.80 AS47195 Gameforge Productions GmbH
81 134.19.181.30 AS57172 Global Layer B.V.
44 188.95.48.25 AS57172 Global Layer B.V.
28 134.19.181.28 AS57172 Global Layer B.V.
51 213.239.204.50 AS24940 Hetzner Online AG
1 188.132.242.149 AS42910 Hosting Internet Hizmetleri Sanayi ve
2 188.138.109.53 AS8972 intergenia AG
14 192.162.137.62 AS16265 LeaseWeb B.V.
3 199.71.233.202 AS47869 Netrouting Data Facilities
1 109.235.51.224 AS47869 Netrouting Data Facilities
12 37.220.19.98 AS35662 Redstation Limited
4 88.150.195.29 AS35662 Redstation Limited
1 37.220.17.66 AS35662 Redstation Limited
1 46.249.58.116 AS50673 Serverius Holding B.V.
2 173.242.114.26 AS46664 VolumeDrive  
1 199.19.110.200 AS46664 VolumeDrive  
1 74.118.193.43 AS46664 VolumeDrive  
50 109.236.83.163 AS49981 WorldStream  

Ecatel is a know 'bad' hoster as described by hostexploit.com:

Top 10 Bad Hosts 2013 Q1

HE Rank HE IndexAS NumberNameCountry
1 152.38 AS29073 Ecatel Network NL NETHERLANDS
2 149.22 AS58001 Ideal Solution Ltd RU RUSSIAN FEDERATION
3 146.69 AS6697 Beltelecom BY BELARUS
4 141.69 AS29182 ISPsystem RU RUSSIAN FEDERATION
5 136.65 AS16276 OVH Systems FR FRANCE
6 134.49 AS24940 Hetzner Online AG DE GERMANY
7 133.96 AS40034 Confluence Networks Inc VG VG VIRGIN ISLANDS, BRITISH
8 133.83 AS197774 Smovskaya Valentina Ivanovna UA UKRAINE
9 132.18 AS11042 Landis Holdings Inc US UNITED STATES
10 131.11 AS47764 Mail.Ru LLC RU RUSSIAN FEDERATION
Source: http://www.hostexploit.com/


Saturday, June 22, 2013

Domain: mydnsscan.us

The domain name MyDnsScan.us made me think of the DirectedAt.Asia.

After a quick comparison of the whois data, I see they have matching Registrars. (Internet.bs Corp) Perhaps its a lead.

A definite link can be made between the two domains when looking at the 'Name Server:' details in the whois data of MyDnsScan.Us, as it contains directedat.asia records.

The asia domain has whois guard but the MyDnsScan one has some contact details.

--- Directed at asia ---
    Domain ID:D2608645-ASIA
    Domain Name:DIRECTEDAT.ASIA
    Domain Create Date:12-Apr-2013 03:21:04 UTC
    Domain Expiration Date:12-Apr-2014 03:21:04 UTC
    Domain Last Updated Date:11-Jun-2013 20:50:05 UTC
    Last Transferred Date:
    Created by:Internet.bs Corp. R176-ASIA (814)
    Last Updated by Registrar:ASIA Registry R6-ASIA (9996)
    Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
    Domain Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:INTE9l5othfpmebj
    Registrant Name:
    Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Attn: directedat.asia
    Registrant Address2: Aptds. 0850-   00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15Registrant Phone:+507.65995877

source: http://whois.domaintools.com/directedat.asia

--- My DNS Scan US ---

    Domain Name:    MYDNSSCAN.US
    Domain ID:      D40566976-US
    Sponsoring Registrar:    INTERNET.BS CORP.
    Sponsoring Registrar IANA ID:                814
    Registrar URL (registration services):       http://www.internet.bs
    Domain Status:                               clientTransferProhibited
    Registrant ID:                               INTESKAXRHT1B2G3
    Registrant Name:                             Herman Singh
    Registrant Address1:                         9049 180th St
    Registrant City:                             Jamaica
    Registrant Postal Code:                      11432
    Registrant Country:                          United States
    Registrant Country Code:                     US
    Registrant Phone Number:                     +1.5267675
    Registrant Email:                            hermansinghs@gmail.com
<snip>
    name Server:   NS-UK.TOPDNS.COM
    Name Server:   NS-USA.TOPDNS.COM
    Name Server:   NS-CANADA.TOPDNS.COM
    Name Server:   NS2.MYDNSSCAN.US
    Name Server:   NS1.MYDNSSCAN.US
    Name Server:   NS3.MYDNSSCAN.US
    Name Server:   NS4.MYDNSSCAN.US
    Name Server:   NS1.DIRECTEDAT.ASIA
    Name Server:   NS2.DIRECTEDAT.ASIA
    Created by Registrar:     INTERNET.BS CORP.
    Last Updated by Registrar:  INTERNET.BS CORP.
    Domain Registration Date:   Thu May 23 20:58:15 GMT 2013
    Domain Expiration Date:     Thu May 22 23:59:59 GMT 2014
    Domain Last Updated Date:   Fri Jun 21 12:23:35 GMT 2013

source: http://whois.domaintools.com/mydnsscan.us


Since June 7th I've seen a few different IPs but all very very low amounds, same as directedat.asia that will do about only one a hour.

At the moment MyDnsScan.us is using the following two name servers:

    mydnsscan.us. 14400 IN NS ns1.mydnsscan.us.
    mydnsscan.us. 14400 IN NS ns2.mydnsscan.us.

UPDATE: 23/06/2013

Just seen requests for dd0s.asia this domain is registered at the same registrar and has the same ip range in its response. Also the name server IPs show similarities.

----------------
<snip>
    dd0s.asia. 3600 IN A 172.33.43.37
    dd0s.asia. 3600 IN A 172.33.43.7
    dd0s.asia. 3600 IN A 172.33.43.38
    dd0s.asia. 3600 IN A 172.33.43.63
    dd0s.asia. 3600 IN A 172.33.43.6
    dd0s.asia. 3600 IN A 172.33.43.48
    dd0s.asia. 3600 IN A 172.33.43.54
    dd0s.asia. 3600 IN A 172.33.43.68
    dd0s.asia. 3600 IN A 172.33.43.43
    dd0s.asia. 3600 IN A 172.33.43.3
    dd0s.asia. 3600 IN A 172.33.43.32
    dd0s.asia. 3600 IN A 172.33.43.26
<snip>
------------------

Whois info:

    Domain ID:D2709804-ASIA
    Domain Name:DD0S.ASIA
    Domain Create Date:23-Jun-2013 01:38:11 UTC
    Domain Expiration Date:23-Jun-2014 01:38:11 UTC
    Domain Last Updated Date:23-Jun-2013 01:51:33 UTC
    Last Transferred Date:
    Created by:Internet.bs Corp. R176-ASIA (814)
    Last Updated by Registrar:Internet.bs Corp. R176-ASIA (814)
    Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
    Domain Status:CLIENT TRANSFER PROHIBITED
    Domain Status:TRANSFER PROHIBITED
    Status:ADDPERIOD
    Registrant ID:INTEfa270xohhrs2
    Registrant Name:Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Attn: dd0s.asia
    Registrant Address2:Aptds. 0850-00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:
    Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15
    Registrant Phone:+507.65995877

Name servers:

The domains DirectedAt.Asia and Dd0s.Asia are using the same Name Server IPs:


    ns1.dd0s.asia. 3600 IN A 74.91.18.226
    ns2.dd0s.asia. 3600 IN A 74.91.18.226

    ns1.directedat.asia. 53633 IN A 74.91.18.226
    ns2.directedat.asia. 53633 IN A 74.91.18.226


UPDATE 26/06/2013

Just seen activity for 1rip.com. Response contains 244 Ips in the 204.46.43.0/24 range. Same name servers as the above mentioned servers.

    Domain 1rip.com
    Date Registered: 2013-6-26
    Expiry Date: 2014-6-26
    DNS1: ns1.1rip.com
    DNS2: ns2.1rip.com
    Registrant    Fundacion Private Whois    
    Domain Administrator    Email:  
    Attn: 1rip.com    
    Aptds. 0850-00056    
    Zona 15 Panama    Panama    Tel: +507.65995877

    Registrar: Internet.bs Corp.

Name servers:

ns1.1rip.com. 78501 IN A 74.91.18.226ns2.1rip.com. 78501 IN A 74.91.18.226


Update 28/06/2013

One new day two new domains. This time it is ScanDns.tk and Xcqv.de and I have enough reason to beleave this is the same guy as above DirectedAt.Asia. 


Whois details ScanDns.Tk:

    Domain name:      SCANDNS.TK
    Organisation:      BV Dot TK      Dot TK 
    administrator      P.O. Box 11774      1001 GT  Amsterdam      Netherlands      
    Phone: +31 20 5315725      
    Fax: +31 20 5315721      
    E-mail: abuse: 
    copyright infringement: 



Returns

1350 A records in the ranges 1. - 223.

    scandns.tk. 2181 IN NS ns1.cloudns.net.
    scandns.tk. 2181 IN NS ns2.cloudns.net.
    scandns.tk. 2181 IN NS ns3.cloudns.net.
    scandns.tk. 2181 IN NS ns4.cloudns.net.

-----------------------------------------------------------------------

Whois details xcqv.de:
Domain: xcqv.de
Nserver: ns.inwx.de
Nserver: ns2.inwx.de
Nserver: ns3.inwx.eu
Nserver: ns4.inwx.com
Nserver: ns5.inwx.net
Status: connect
Changed: 2013-06-27T22:37:52+02:00

[Tech-C]
Type: ROLE
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Address: Tempelhofer Damm 140
PostalCode: 12099
City: Berlin
CountryCode: DE
Phone: +49.180.3730000
Phone: +49.30.66400137
Fax: +49.30.66400138
Email: 
Remarks: role account for Hostmaster of the Day
Changed: 2009-01-07T16:28:43+01:00
Returns:

501 A records in the 178.100 range.


Name servers:

    xcqv.de. 20837 IN NS ns2.inwx.de.
    xcqv.de. 20837 IN NS ns5.inwx.net.
    xcqv.de. 20837 IN NS ns4.inwx.com.
    xcqv.de. 20837 IN NS ns.inwx.de.
    xcqv.de. 20837 IN NS ns3.inwx.eu.


Update 07/07/2013


New domain and new sub-domain:



formality.directedat.asia returns 511 records in the 172.33.43.0 and 172.33.44.0 range.

--------------

Aanonsc.com returns 511 A records in the 172.33.43.0 and 172.33.44.0 range.

Seen the AnonSc.com domain only once. That same source IP also once requested Nukes.DirectedAt.Asia on the 25th of June.

Name servers:

    anonsc.com. 86400 IN NS ns3.anonsc.com.
    anonsc.com. 86400 IN NS ns4.anonsc.com.

    ns3.anonsc.com. 86400 IN A 89.221.247.170
    ns4.anonsc.com. 86400 IN A 89.221.247.170

SOA:

    anonsc.com. 77002 IN SOA ns3.anonsc.com. shit.anonsc.com. (
2053191001 ; serial
86400      ; refresh (1 day)
7200       ; retry (2 hours)
3600000    ; expire (5 weeks 6 days 16 hours)
86400      ; minimum (1 day)

)


Whois:

    Technical Contact
        Fundacion Private Whois
        Domain Administrator
        Email:
        Attn: anonsc.com
        Aptds. 0850-00056
        Zona 15 Panama
        Panama
        Tel: +507.65995877

    Registrar: Internet.bs Corp.

source: http://whois.domaintools.com/anonsc.com




Sunday, June 2, 2013

Statistics May 2013

From this month on I will try to publish a monthly post containing some statistics of what I have been observing with my little project.

Starting this month I have seen a large increase in traffic, from a couple of IPs a day to hundreds. Because of this I stopped Tweeting and automatically blogging about it. I mean, who is going to read 300 blog post a day really?

See the increase in requests per day in the graph below:



The plan is to start this month on a public status page that will contain statistics and a bunch of reports on attacks I'm seeing. All automated and shiny!

Statistics:


Total queries this month: 4.201.970

Most popular domain: isco.org with 2.929.013 requests.


4606 unique source IPs, 2270 observed more than 100 times.

Top 25 attacks in May:

 278594 190.93.249.10
 273946 190.93.248.10 
   85358 88.191.237.70
   78650 109.3.51.194
   60377 173.245.59.142
   56019 173.245.59.99
   55901 173.245.58.99
   50803 5.9.237.226
   50107 173.245.58.138
   47870 198.27.64.205
   36003 78.143.14.139
   28427 207.171.170.1
   26077 207.171.179.1
   21605 88.166.164.160
   21525 168.62.23.92
   19925 204.93.210.100
   18375 168.61.144.13
   18345 168.63.55.14
   16873 174.98.255.164
   15940 74.125.31.121
   15712 72.52.12.48
   15505 37.59.28.132
   15351 188.165.94.215
   15298 50.18.190.126
   15186 137.116.32.32


IPs per country:

Requests per country:


This gives a pretty good view of what I have been looking at on my dashboard.

Coming up next:


Details on a few characteristics, snort rules to detect attacks and development on the dashboard!