Wednesday, October 9, 2013

Domain: 30259.info

Domain: 30259.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28=0x05333032 && 0x2c&0xFFFFFFDF=0x35390449 && 0x30&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q 30259.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 52 --algo bm --hex-string '|05333032353904696e666f00|' -j DROP -m comment --comment "DROP DNS Q 30259.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
30259.info. 7200 IN NS ns1.05930.info.
30259.info. 7200 IN NS ns2.05930.info.

;; ADDITIONAL SECTION:
ns1.05930.info. 86399 IN A 162.211.182.101
ns1.05930.info. 86399 IN A 162.211.182.102
ns1.05930.info. 86399 IN A 162.211.182.103
ns1.05930.info. 86399 IN A 162.212.182.66
ns1.05930.info. 86399 IN A 162.212.182.67
ns1.05930.info. 86399 IN A 162.212.182.81
ns1.05930.info. 86399 IN A 162.212.182.163
ns1.05930.info. 86399 IN A 162.212.182.165
ns1.05930.info. 86399 IN A 64.62.186.77
ns1.05930.info. 86399 IN A 64.62.186.91
ns1.05930.info. 86399 IN A 64.62.186.110
ns1.05930.info. 86399 IN A 64.62.186.125
ns1.05930.info. 86399 IN A 162.211.182.100
ns2.05930.info. 86399 IN A 162.211.182.102
ns2.05930.info. 86399 IN A 162.211.182.103
ns2.05930.info. 86399 IN A 162.212.182.66
ns2.05930.info. 86399 IN A 162.212.182.67
ns2.05930.info. 86399 IN A 162.212.182.81
ns2.05930.info. 86399 IN A 162.212.182.163
ns2.05930.info. 86399 IN A 162.212.182.165
ns2.05930.info. 86399 IN A 64.62.186.77
ns2.05930.info. 86399 IN A 64.62.186.91
ns2.05930.info. 86399 IN A 64.62.186.110
ns2.05930.info. 86399 IN A 64.62.186.125
ns2.05930.info. 86399 IN A 162.211.182.100
ns2.05930.info. 86399 IN A 162.211.182.101


Response:


A 257
NS 2
SOA 1
Rsize 4211


Whois



Domain ID:D50794515-LRMS
Domain Name:30259.INFO
Created On:08-Oct-2013 08:05:46 UTC
Last Updated On:09-Oct-2013 08:35:59 UTC
Expiration Date:08-Oct-2014 08:05:46 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR152354789
Registrant Name:edson edson
Registrant Organization:
Registrant Street1:beijing
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:511111
Registrant Country:CN
Registrant Phone:+1.5555555555
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:afanti6@gmail.com
Admin ID:CR152354791
Admin Name:edson edson
Admin Organization:
Admin Street1:beijing
Admin Street2:
Admin Street3:
Admin City:beijing
Admin State/Province:beijing
Admin Postal Code:511111
Admin Country:CN
Admin Phone:+1.5555555555
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:afanti6@gmail.com
Billing ID:CR152354792
Billing Name:edson edson
Billing Organization:
Billing Street1:beijing
Billing Street2:
Billing Street3:
Billing City:beijing
Billing State/Province:beijing
Billing Postal Code:511111
Billing Country:CN
Billing Phone:+1.5555555555
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:afanti6@gmail.com
Tech ID:CR152354790
Tech Name:edson edson
Tech Organization:
Tech Street1:beijing
Tech Street2:
Tech Street3:
Tech City:beijing
Tech State/Province:beijing
Tech Postal Code:511111
Tech Country:CN
Tech Phone:+1.5555555555
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:afanti6@gmail.com
Name Server:NS1.05930.INFO
Name Server:NS2.05930.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:





6 comments:

  1. Started seeing massing lookups for this domain early this morning, coming from the following IPs...

    05:06:23 61.153.111.36 Response sent: 30259.info. type ANY
    05:06:23 119.147.153.118 Response sent: 30259.info. type ANY
    05:06:23 119.147.153.58 Response sent: 30259.info. type ANY

    ...all in China of course.

    ReplyDelete
  2. Now also seeing this from...

    13:34:30 54.229.227.47 Response sent: 30259.info. type ANY
    13:34:30 186.2.164.90 Response sent: 30259.info. type ANY
    13:34:30 186.2.164.89 Response sent: 30259.info. type ANY

    ...interesting how that first one seems to be Amazon's cloud, the other two appear as "DDoS-Guard.net" out of Belize ???

    ReplyDelete
  3. 10-Oct-2013 10:20:29.951 queries: info: client 122.136.196.116#3789: query: 30259.info IN A +E
    10-Oct-2013 10:20:29.954 queries: info: client 122.136.196.116#4637: query: 30259.info IN A +E
    10-Oct-2013 10:20:59.536 queries: info: client 122.136.196.116#43699: query: 30259.info IN A +E
    10-Oct-2013 10:20:59.537 queries: info: client 122.136.196.116#46515: query: 30259.info IN A +E


    this ip have been query a lot of domain ?
    maybe one of main server?

    excerpt list of the domain that been query
    aa3247.com
    4fwhk.com
    aa.10781.info
    30259.info

    - falconix -

    ReplyDelete
  4. I blocked the following subnets to resolve this issue:

    115.239.226.0/24
    122.13.167.0/24
    160.79.170.0/24
    183.60.135.0/24
    183.61.241.0/24
    24.164.142.0/24
    60.214.139.0.24
    61.153.110.0/24

    ReplyDelete
  5. I blocked the following subnets to resolve this issue:

    60.214.139.0/24
    115.239.226.0/24
    122.13.167.0/24
    183.60.135.0/24
    183.61.241.0/24

    All subnets from China.

    ReplyDelete
  6. I blocked the following subnets to resolve this issue:

    190.115.19.0/255
    122.13.167.0/255
    59.63.181.0/255
    61.153.110.143
    61.153.104.143
    183.61.241.20

    ReplyDelete