Sunday, December 22, 2013

Domain: amp.crack-zone.ru

Domain: amp.crack-zone.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03414d50 && 0x2c&0xFFDFDFDF=0x0a435241 && 0x30&0xDFDFFFDF=0x434b2d5a && 0x34&0xDFDFDFFF=0x4f4e4502 && 0x38&0xDFDFFF00=0x52550000" -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03616d700A637261636b2d7a6f6e6502727500|' -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.51.228

Name server:

;; ANSWER SECTION:
crack-zone.ru.          51518   IN      NS      jim.ns.cloudflare.com.
crack-zone.ru.          51518   IN      NS      fay.ns.cloudflare.com.

;; ADDITIONAL SECTION:
fay.ns.cloudflare.com.  72548   IN      A       173.245.58.115
jim.ns.cloudflare.com.  85943   IN      A       173.245.59.125
jim.ns.cloudflare.com.  85943   IN      AAAA    2400:cb00:2049:1::adf5:3b7d
fay.ns.cloudflare.com.  72548   IN      AAAA    2400:cb00:2049:1::adf5:3a73

Response:


TXT 3
Rsize 9226


Whois

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        CRACK-ZONE.RU
nserver:       fay.ns.cloudflare.com.
nserver:       jim.ns.cloudflare.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2013.06.22
paid-till:     2014.06.22
free-date:     2014.07.23
source:        TCI





Tuesday, December 17, 2013

Domain: ghmn.ru

Domain: ghmn.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0447484d && 0x2c&0xDFFFDFDF=0x4e025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q ghmn.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|0467686d6e02727500|' -j DROP -m comment --comment "DROP DNS Q ghmn.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
ghmn.ru. 21600 IN NS ns1.reg.ru.
ghmn.ru. 21600 IN NS ns2.reg.ru.


Response:


A 245
NS 2
SOA 1
Rsize 4016


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: GHMN.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.11.09
paid-till: 2014.11.09
free-date: 2014.12.10
source: TCI

Last updated on 2013.12.17 23:36:39 MSK




Domain: grungyman.cloudns.org

Domain: grungyman.cloudns.org

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09475255 && 0x2c&0xDFDFDFDF=0x4e47594d && 0x30&0xDFDFFFDF=0x414e0743 && 0x34&0xDFDFDFDF=0x4c4f5544 && 0x38&0xDFDFFFDF=0x4e53034f && 0x3c&0xDFDFFF00=0x52470000" -j DROP -m comment --comment "DROP DNS Q grungyman.cloudns.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 63 --algo bm --hex-string '|096772756e67796d616e07636c6f75646e73036f726700|' -j DROP -m comment --comment "DROP DNS Q grungyman.cloudns.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
grungyman.cloudns.org. 3599 IN NS ns3.cloudns.net.
grungyman.cloudns.org. 3599 IN NS ns4.cloudns.net.
grungyman.cloudns.org. 3599 IN NS ns1.cloudns.net.
grungyman.cloudns.org. 3599 IN NS ns2.cloudns.net.


Response:


A 201
NS 4
SOA 1
Rsize 3366


Whois


NOT FOUND



Friday, December 13, 2013

Domain: erhj.pw

Domain: erhj.pw

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04455248 && 0x2c&0xDFFFDFDF=0x4a025057 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q erhj.pw"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|046572686a02707700|' -j DROP -m comment --comment "DROP DNS Q erhj.pw"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


81.17.130.54 -  Ecatel

Name server:


;; ANSWER SECTION:
erhj.pw. 3600 IN NS ns1.h1.artplanet.su.
erhj.pw. 3600 IN NS ns2.h1.artplanet.su.


Response:


A 243
MX 2
NS 2
SOA 1
TXT 1
Rsize 4073


Whois


This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Domain ID:CNIC-DO1680644
Domain Name:ERHJ.PW
Created On:2013-12-08T13:18:20.0Z
Last Updated On:2013-12-13T13:27:10.0Z
Expiration Date:2014-12-08T23:59:59.0Z
Status:TRANSFER PROHIBITED
Registrant ID:H280468
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant City:Nobby Beach
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Email:contact@privacyprotect.org
Admin ID:H280468
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin City:Nobby Beach
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
Admin Email:contact@privacyprotect.org
Tech ID:H280468
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:ID#10760, PO Box 16
Tech Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Tech City:Nobby Beach
Tech Postal Code:QLD 4218
Tech Country:AU
Tech Phone:+45.36946676
Tech Email:contact@privacyprotect.org
Billing ID:H280468
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:ID#10760, PO Box 16
Billing Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Billing City:Nobby Beach
Billing Postal Code:QLD 4218
Billing Country:AU
Billing Phone:+45.36946676
Billing Email:contact@privacyprotect.org
Sponsoring Registrar ID:H2834038
Sponsoring Registrar IANA ID:1111
Sponsoring Registrar Organization:DomainContext Inc.
Sponsoring Registrar Street1:501 Silverside Road
Sponsoring Registrar Street2:Suite 105
Sponsoring Registrar City:Wilmington
Sponsoring Registrar State/Province:DE
Sponsoring Registrar Postal Code:19809
Sponsoring Registrar Country:US
Sponsoring Registrar Phone:+1 302 4427322
Sponsoring Registrar FAX:+1 302 4427337
Sponsoring Registrar Website:http://www.domaincontext.com
Name Server:NS2.H1.ARTPLANET.SU
Name Server:NS1.H1.ARTPLANET.SU
DNSSEC:Unsigned





Sunday, December 8, 2013

Domain: datburger.cloudns.org

Domain: datburger.cloudns.org


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09444154 && 0x2c&0xDFDFDFDF=0x42555247 && 0x30&0xDFDFFFDF=0x45520743 && 0x34&0xDFDFDFDF=0x4c4f5544 && 0x38&0xDFDFFFDF=0x4e53034f && 0x3c&0xDFDFFF00=0x52470000" -j DROP -m comment --comment "DROP DNS Q datburger.cloudns.org"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 63 --algo bm --hex-string '|0964617462757267657207636c6f75646e73036f726700|' -j DROP -m comment --comment "DROP DNS Q datburger.cloudns.org"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:



Response:


A 201
NS 4
SOA 1
Rsize 3366


Whois


NOT FOUND


Saturday, December 7, 2013

Domain: adrenalinessss.cc

Domain: adrenalinessss.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0e414452 && 0x2c&0xDFDFDFDF=0x454e414c && 0x30&0xDFDFDFDF=0x494e4553 && 0x34&0xDFDFDFFF=0x53535302 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q adrenalinessss.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|0E616472656e616c696e657373737302636300|' -j DROP -m comment --comment "DROP DNS Q adrenalinessss.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


80.82.65.206 - Ecatel

Name server:


;; ANSWER SECTION:
adrenalinessss.cc. 8053 IN NS b.dns.gandi.net.
adrenalinessss.cc. 8053 IN NS a.dns.gandi.net.
adrenalinessss.cc. 8053 IN NS c.dns.gandi.net.


Response:


A 241
NS 3
SOA 1
Rsize 3983


Whois



Whois Server Version 2.0

Domain names can now be registered with many different competing registrars.
Go to http://registrar.verisign-grs.com/whois/ for detailed information.

Domain Name: ADRENALINESSSS.CC
Domain ID: 108528673
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Updated Date: 2013-12-06T11:58:40Z
Creation Date: 2013-12-06T11:58:39Z
Expiration Date: 2014-12-06T11:58:39Z
Sponsoring Registrar: GANDI SAS
Sponsoring Registrar IANA ID: 81
Domain Status: CLIENT-XFER-PROHIBITED
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
DNSSEC: Unsigned delegation


>>> Last update of whois database: 2013-12-07T18:47:23Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration date of the domain name registrant's agreement with the
sponsoring registrar. Users may consult the sponsoring registrar's
Whois database to view the registrar's reported date of expiration
for this registration.


The Registry database contains ONLY .cc, .tv, and .jobs domains
and Registrars.
--- #YAML:1.0
# GANDI Registrar whois database for .COM, .NET, .ORG., .INFO, .BIZ, .NAME
#

domain: adrenalinessss.cc
reg_created: 2013-12-06 16:58:39
expires: 2014-12-06 16:58:39
created: 2013-12-06 17:58:39
changed: 2013-12-06 18:21:36
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
nic-hdl: MM12605-GANDI
owner-name: maryset maryset
organisation: ~
person: maryset maryset
address: 1 resident
zipcode: 27300
city: Bernay
country: France
phone: +33.232472392
fax: ~
email: t.maryse@orange.fr
lastupdated: 2013-12-06 17:53:06
admin-c:
nic-hdl: MM12605-GANDI
owner-name: maryset maryset
organisation: ~
person: maryset maryset
address: 1 resident
zipcode: 27300
city: Bernay
country: France
phone: +33.232472392
fax: ~
email: t.maryse@orange.fr
lastupdated: 2013-12-06 17:53:06
tech-c:
nic-hdl: MM12605-GANDI
owner-name: maryset maryset
organisation: ~
person: maryset maryset
address: 1 resident
zipcode: 27300
city: Bernay
country: France
phone: +33.232472392
fax: ~
email: t.maryse@orange.fr
lastupdated: 2013-12-06 17:53:06
bill-c:
nic-hdl: MM12605-GANDI
owner-name: maryset maryset
organisation: ~
person: maryset maryset
address: 1 resident
zipcode: 27300
city: Bernay
country: France
phone: +33.232472392
fax: ~
email: t.maryse@orange.fr
lastupdated: 2013-12-06 17:53:06



Friday, December 6, 2013

Domain: ilineage2.ru

Domain: ilineage2.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09494c49 && 0x2c&0xDFDFDFDF=0x4e454147 && 0x30&0xDFFFFFDF=0x45320252 && 0x34&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q ilineage2.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|09696c696e656167653202727500|' -j DROP -m comment --comment "DROP DNS Q ilineage2.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.49.104

Name server:


;; ANSWER SECTION:
ilineage2.ru. 21600 IN NS ns2.reg.ru.
ilineage2.ru. 21600 IN NS ns1.reg.ru.


Response:


A 244
NS 2
SOA 1
Rsize 4005


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: ILINEAGE2.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.05.29
paid-till: 2014.05.29
free-date: 2014.06.29
source: TCI

Last updated on 2013.12.06 22:31:43 MSK




Thursday, December 5, 2013

A Who-Am-I from China


Today I found the domain "whoami.akamai.com" in my log files. After concluding that there was no amplification in there, I looked at who requested this domain. Normally there is one request for these 'new'  domains. ( mostly an Ecatel IP ) But not today, over a hundred different IPs scrolled by..

The queries were also performed with only the Recursion Desired bit set, no eDNS as I usually see.

Most IPs only requested the domain once.. but why this domain? The IPs are scatered over a few AS-es:

     71  AS4134 Chinanet
     40  AS4837 CNCGROUP China169 Backbone
      7  AS23650 AS Number for CHINANET jiangsu province backbone
      6  AS9808 Guangdong Mobile Communication Co.Ltd.
      4  AS38283 CHINANET SiChuan Telecom Internet Data Center
      3  AS17816 China Unicom IP network China169 Guangdong province
      2  AS4812 China Telecom (Group)
      2  AS4808 CNCGROUP IP network China169 Beijing Province Network
      2  AS24444 Shandong Mobile Communication Company Limited
      1  AS7473 Singapore Telecommunications Ltd
      1  AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh.
      1  AS56046 China Mobile communications corporation
      1  AS56040 China Mobile communications corporation
      1  AS54994 Wangsu Science and Technology (US), Inc.
      1  AS4538 China Education and Research Network Center
      1  AS3462 Data Communication Business Group
      1  AS24445 Henan Mobile Communications Co.,Ltd
      1  AS18118 CITIC Networks Management Co.,Ltd.
      1  AS1299 TeliaNet Global Network

A few IPs have rDNS set:

112.117.216.6 - 6.216.117.112.broad.km.yn.dynamic.163data.com.cn.
121.205.7.134 - 134.7.205.121.broad.qz.fj.dynamic.163data.com.cn.
122.136.46.81 - 81.46.136.122.adsl-pool.jlccptt.net.cn.
122.138.54.6 - 6.54.138.122.adsl-pool.jlccptt.net.cn.
122.143.27.134 - 134.27.143.122.adsl-pool.jlccptt.net.cn.
123.103.64.180 - 123.103.64.180-BJ-CNC.
124.163.221.6 - 6.221.163.124.adsl-pool.sx.cn.
125.75.128.81 - 81.128.125.75.gs.dynamic.163data.com.cn.
182.118.15.6 - hn.kd.ny.adsl.
182.118.73.10 - hn.kd.ny.adsl.
219.153.52.6 - 6.52.153.219.broad.cq.cq.dynamic.163data.com.cn.
219.154.65.164 - hn.kd.jz.adsl.
220.165.142.6 - 6.142.165.220.broad.cx.yn.dynamic.163data.com.cn.
222.138.229.57 - hn.kd.ny.adsl.
222.140.155.6 - hn.kd.dhcp.
60.220.196.6 - 6.196.220.60.adsl-pool.sx.cn.
60.220.213.70 - 70.213.220.60.adsl-pool.sx.cn.
61.157.124.20 - 20.124.157.61.dial.zy.sc.dynamic.163data.com.cn.
61.188.191.10 - 10.191.188.61.broad.nc.sc.dynamic.163data.com.cn.
61.54.12.5 - hn.kd.dhcp.
61.54.219.59 - hn.kd.dhcp.
61.54.7.11 - hn.kd.dhcp.

Dhcp, dynamic - sound like home connections. Botnet?

WhoAmI.akamai.com

As it turns out this sub domain is something special.
The A record response for this domain is the IP from which the request come from. So if you run a local DNS server you will have your (WAN) IP returned. When using a remove DNS server, that IP will be returned. In case of a chain of forwarding DNS servers, the IP of that last one in the chain will be returned.


Google Public DNS:

dig whoami.akamai.com @8.8.8.8

....
;; ANSWER SECTION:

whoami.akamai.net.      94      IN      A       74.125.17.147

My query was forwarded to 74.125.17.147 by Google. For load balancing purposes I guess. Perhaps using eDNS +client.

But why request this domain from every open DNS server in the world?

The people behind this scan can see the difference in 'open DNS servers' if it is a 'open resolver' or an 'open forwarder'.  Perhaps this makes a significant difference when performing DNS amplification attacks.. perhaps it is just nice to know.

When the responses to these queries are properly logged on could  generate a real nice graph of what open forwarders hide behind what open resolvers... I want that graph now!!

I am assuming there are a lot more open forwarders than there are open resolver. But I have no stats on that matter. Perhaps this was a small botnet making these requests.. but why request it so many times as the queries are almost all from China it cannot be related to Geo diversity. Pretty confusing.

If anyone has any idea about this all.. Let me know!


 Observed source IPs:


IP Country ISP
101.227.66.136   China   AS4812 China Telecom (Group)
101.26.37.10   China   AS4837 CNCGROUP China169 Backbone
103.5.124.133   Cambodia   AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh.
110.18.244.134   China   AS4837 CNCGROUP China169 Backbone
110.18.246.6   China   AS4837 CNCGROUP China169 Backbone
112.117.216.6   China   AS4134 Chinanet
112.25.35.36   China   AS56046 China Mobile communications corporation
112.253.38.28   China   AS4837 CNCGROUP China169 Backbone
112.84.252.131   China   AS4837 CNCGROUP China169 Backbone
112.90.246.6   China   AS17816 China Unicom IP network China169 Guangdong province
112.91.29.6   China   AS17816 China Unicom IP network China169 Guangdong province
113.107.56.10   China   AS4134 Chinanet
113.107.89.134   China   AS4134 Chinanet
113.17.140.154   China   AS4134 Chinanet
113.207.63.136   China   AS4837 CNCGROUP China169 Backbone
114.80.143.152   China   AS4812 China Telecom (Group)
115.156.188.141  China   AS4538 China Education and Research Network Center
115.231.84.10   China   AS4134 Chinanet
115.238.245.134  China   AS4134 Chinanet
116.10.190.10   China   AS4134 Chinanet
116.211.96.166   China   AS4134 Chinanet
117.18.47.39   Singapore   AS7473 Singapore Telecommunications Ltd
117.21.164.6   China   AS4134 Chinanet
117.21.189.11   China   AS4134 Chinanet
117.25.128.209   China   AS4134 Chinanet
117.35.207.134   China   AS4134 Chinanet
117.42.74.5   China   AS4134 Chinanet
118.123.118.6   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
119.134.253.5   China   AS4134 Chinanet
119.146.200.6   China   AS4134 Chinanet
119.147.149.135  China   AS4134 Chinanet
119.84.113.6   China   AS4134 Chinanet
119.84.119.102   China   AS4134 Chinanet
120.192.90.200   China   AS24444 Shandong Mobile Communication Company Limited
120.192.92.10   China   AS24444 Shandong Mobile Communication Company Limited
120.198.232.50   China   AS56040 China Mobile communications corporation
120.209.141.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
120.209.142.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
120.39.183.11   China   AS4134 Chinanet
121.11.92.134   China   AS4134 Chinanet
121.14.151.3   China   AS4134 Chinanet
121.14.228.6   China   AS4134 Chinanet
121.18.209.209   China   AS4837 CNCGROUP China169 Backbone
121.18.230.11   China   AS4837 CNCGROUP China169 Backbone
121.205.7.134   China   AS4134 Chinanet
121.61.118.10   China   AS4134 Chinanet
122.136.46.81   China   AS4837 CNCGROUP China169 Backbone
122.138.54.6   China   AS4837 CNCGROUP China169 Backbone
122.143.27.134   China   AS4837 CNCGROUP China169 Backbone
122.226.169.70   China   AS4134 Chinanet
122.226.180.198  China   AS4134 Chinanet
122.227.2.6   China   AS4134 Chinanet
122.228.228.135  China   AS4134 Chinanet
123.103.64.180   China   AS4808 CNCGROUP IP network China169 Beijing Province Network
124.163.221.6   China   AS4837 CNCGROUP China169 Backbone
124.202.166.6   China   AS4808 CNCGROUP IP network China169 Beijing Province Network
125.39.19.70   China   AS4837 CNCGROUP China169 Backbone
125.75.128.81   China   AS4134 Chinanet
14.17.98.6   China   AS4134 Chinanet
163.177.242.6   China   AS17816 China Unicom IP network China169 Guangdong province
171.111.152.6   China   AS4134 Chinanet
171.112.96.6   China   AS4134 Chinanet
182.118.15.6   China   AS4837 CNCGROUP China169 Backbone
182.118.73.10   China   AS4837 CNCGROUP China169 Backbone
182.140.130.10   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
182.140.236.6   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
182.86.197.6   China   AS4134 Chinanet
183.136.208.6   China   AS4134 Chinanet
183.136.229.134  China   AS4134 Chinanet
183.221.248.141  China   AS9808 Guangdong Mobile Communication Co.Ltd.
183.250.179.16   China   AS9808 Guangdong Mobile Communication Co.Ltd.
183.57.144.11   China   AS4134 Chinanet
183.60.232.10   China   AS4134 Chinanet
183.61.73.10   China   AS4134 Chinanet
183.63.155.10   China   AS4134 Chinanet
203.74.4.38   Taiwan   AS3462 Data Communication Business Group
209.170.78.66   Sweden   AS1299 TeliaNet Global Network
211.142.194.11   China   AS24445 Henan Mobile Communications Co.,Ltd
218.11.179.222   China   AS4837 CNCGROUP China169 Backbone
218.2.83.66   China   AS4134 Chinanet
218.59.144.70   China   AS4837 CNCGROUP China169 Backbone
218.59.209.6   China   AS4837 CNCGROUP China169 Backbone
218.61.27.10   China   AS4837 CNCGROUP China169 Backbone
218.75.140.134   China   AS4134 Chinanet
218.87.111.134   China   AS4134 Chinanet
219.138.135.197  China   AS4134 Chinanet
219.138.64.10   China   AS4134 Chinanet
219.139.190.180  China   AS4134 Chinanet
219.147.204.6   China   AS4134 Chinanet
219.153.52.6   China   AS4134 Chinanet
219.154.65.164   China   AS4837 CNCGROUP China169 Backbone
219.72.153.14   China   AS18118 CITIC Networks Management Co.,Ltd.
220.162.97.135   China   AS4134 Chinanet
220.165.142.6   China   AS4134 Chinanet
220.168.132.11   China   AS4134 Chinanet
220.194.200.173  China   AS4837 CNCGROUP China169 Backbone
221.10.4.6   China   AS4837 CNCGROUP China169 Backbone
222.138.229.57   China   AS4837 CNCGROUP China169 Backbone
222.140.155.6   China   AS4837 CNCGROUP China169 Backbone
222.174.239.10   China   AS4134 Chinanet
222.184.115.134  China   AS4134 Chinanet
222.186.128.134  China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.130.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.17.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.18.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.216.188.10   China   AS4134 Chinanet
222.243.110.198  China   AS4134 Chinanet
222.88.91.134   China   AS4134 Chinanet
222.88.95.167   China   AS4134 Chinanet
223.85.134.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
223.87.1.50   China   AS9808 Guangdong Mobile Communication Co.Ltd.
27.24.213.140   China   AS4134 Chinanet
42.202.148.6   China   AS4134 Chinanet
58.215.139.68   China   AS4134 Chinanet
58.216.21.10   China   AS4134 Chinanet
58.216.22.10   China   AS4134 Chinanet
58.218.208.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
58.218.214.242  China   AS23650 AS Number for CHINANET jiangsu province backbone
58.222.18.74   China   AS4134 Chinanet
58.242.249.12   China   AS4837 CNCGROUP China169 Backbone
58.51.95.135   China   AS4134 Chinanet
58.59.19.6   China   AS4134 Chinanet
58.61.152.234   China   AS4134 Chinanet
60.174.174.38   China   AS4134 Chinanet
60.18.155.32   China   AS4837 CNCGROUP China169 Backbone
60.19.65.201   China   AS4837 CNCGROUP China169 Backbone
60.191.196.198  China   AS4134 Chinanet
60.210.23.196   China   AS4837 CNCGROUP China169 Backbone
60.211.209.198  China   AS4837 CNCGROUP China169 Backbone
60.212.19.48   China   AS4837 CNCGROUP China169 Backbone
60.220.196.6   China   AS4837 CNCGROUP China169 Backbone
60.220.213.70   China   AS4837 CNCGROUP China169 Backbone
60.28.11.144   China   AS4837 CNCGROUP China169 Backbone
60.28.9.53   China   AS4837 CNCGROUP China169 Backbone
60.5.255.198   China   AS4837 CNCGROUP China169 Backbone
60.6.200.98   China   AS4837 CNCGROUP China169 Backbone
60.8.63.87   China   AS4837 CNCGROUP China169 Backbone
61.145.118.6   China   AS4134 Chinanet
61.147.89.24   China   AS23650 AS Number for CHINANET jiangsu province backbone
61.153.56.182   China   AS4134 Chinanet
61.157.124.20   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
61.174.63.203   China   AS4134 Chinanet
61.188.191.10   China   AS4134 Chinanet
61.54.12.5   China   AS4837 CNCGROUP China169 Backbone
61.54.219.59   China   AS4837 CNCGROUP China169 Backbone
61.54.7.11   China   AS4837 CNCGROUP China169 Backbone
70.39.191.63   United States   AS54994 Wangsu Science and Technology (US), Inc.

Wednesday, December 4, 2013

Domain: dnsamplificationattacks.cc

Domain: dnsamplificationattacks.cc

# This domain does not belong to me # (yet)

Well how about that. Some one bought me a domain name! Maybe I can seize it... ;-)

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q dnsamplificationattacks.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 68 --algo bm --hex-string '|17646e73616d706c696669636174696f6e61747461636b7302636300|' -j DROP -m comment --comment "DROP DNS Q dnsamplificationattacks.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


80.82.65.237 - Ecatel

Name server:


;; ANSWER SECTION:
dnsamplificationattacks.cc. 9533 IN NS b.dns.gandi.net.
dnsamplificationattacks.cc. 9533 IN NS a.dns.gandi.net.
dnsamplificationattacks.cc. 9533 IN NS c.dns.gandi.net.


Response:


A 246
NS 3
SOA 1
Rsize 4072


Whois



Whois Server Version 2.0

Domain names can now be registered with many different competing registrars.
Go to http://registrar.verisign-grs.com/whois/ for detailed information.

Domain Name: DNSAMPLIFICATIONATTACKS.CC
Domain ID: 108517593
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Updated Date: 2013-12-04T14:44:17Z
Creation Date: 2013-12-04T14:44:16Z
Expiration Date: 2014-12-04T14:44:16Z
Sponsoring Registrar: GANDI SAS
Sponsoring Registrar IANA ID: 81
Domain Status: CLIENT-XFER-PROHIBITED
Name Server: A.DNS.GANDI.NET
Name Server: B.DNS.GANDI.NET
Name Server: C.DNS.GANDI.NET
DNSSEC: Unsigned delegation


>>> Last update of whois database: 2013-12-04T22:28:30Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration date of the domain name registrant's agreement with the
sponsoring registrar. Users may consult the sponsoring registrar's
Whois database to view the registrar's reported date of expiration
for this registration.


The Registry database contains ONLY .cc, .tv, and .jobs domains
and Registrars.
--- #YAML:1.0
# GANDI Registrar whois database for .COM, .NET, .ORG., .INFO, .BIZ, .NAME
#

domain: dnsamplificationattacks.cc
reg_created: 2013-12-04 19:44:16
expires: 2014-12-04 19:44:16
created: 2013-12-04 20:44:16
changed: 2013-12-04 20:55:28
transfer-prohibited: yes
ns0: a.dns.gandi.net
ns1: b.dns.gandi.net
ns2: c.dns.gandi.net
owner-c:
nic-hdl: JK3349-GANDI
owner-name: Jorj Keria
organisation: ~
person: Jorj Keria
address: 'St.Patrick 183 , 2'
zipcode: 11012
city: New York
country: United States of America
phone: +1.2811243314
fax: ~
email: 529347fb1b098f6ad72b8fbb39d00fce-1820552@contact.gandi.net
lastupdated: 2013-12-04 20:45:58
admin-c:
nic-hdl: JK3349-GANDI
owner-name: Jorj Keria
organisation: ~
person: Jorj Keria
address: 'St.Patrick 183 , 2'
zipcode: 11012
city: New York
country: United States of America
phone: +1.2811243314
fax: ~
email: 529347fb1b098f6ad72b8fbb39d00fce-1820552@contact.gandi.net
lastupdated: 2013-12-04 20:45:58
tech-c:
nic-hdl: JK3349-GANDI
owner-name: Jorj Keria
organisation: ~
person: Jorj Keria
address: 'St.Patrick 183 , 2'
zipcode: 11012
city: New York
country: United States of America
phone: +1.2811243314
fax: ~
email: 529347fb1b098f6ad72b8fbb39d00fce-1820552@contact.gandi.net
lastupdated: 2013-12-04 20:45:58
bill-c:
nic-hdl: JK3349-GANDI
owner-name: Jorj Keria
organisation: ~
person: Jorj Keria
address: 'St.Patrick 183 , 2'
zipcode: 11012
city: New York
country: United States of America
phone: +1.2811243314
fax: ~
email: 529347fb1b098f6ad72b8fbb39d00fce-1820552@contact.gandi.net
lastupdated: 2013-12-04 20:45:58



Tuesday, December 3, 2013

Domain: nf3.pw

Domain: nf3.pw

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFFF=0x034e4633 && 0x2c&0xFFDFDFFF=0x02505700" -j DROP -m comment --comment "DROP DNS Q nf3.pw"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 48 --algo bm --hex-string '|036e663302707700|' -j DROP -m comment --comment "DROP DNS Q nf3.pw"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
nf3.pw. 900 IN NS ns1.ukraine.com.ua.
nf3.pw. 900 IN NS ns3.ukraine.com.ua.
nf3.pw. 900 IN NS ns2.ukraine.com.ua.


Response:


A 2
MX 2
NS 3
SOA 1
TXT 19
Rsize 5177


Whois


This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Domain ID:CNIC-DO1659398
Domain Name:NF3.PW
Created On:2013-11-29T21:45:16.0Z
Last Updated On:2013-11-29T21:45:17.0Z
Expiration Date:2014-11-29T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4522628
Registrant Name:Vasya Pupkin
Registrant Organization:Private Person
Registrant Street1:kfierikeoinoieno
Registrant City:oieoipoik
Registrant State/Province:chpikaepriekr
Registrant Postal Code:34346
Registrant Country:RU
Registrant Phone:+7.380507797565
Registrant Email:vasya-pupkin1122@rambler.ru
Admin ID:H4522631
Admin Name:Vasya Pupkin
Admin Organization:Private Person
Admin Street1:kfierikeoinoieno
Admin City:oieoipoik
Admin State/Province:chpikaepriekr
Admin Postal Code:34346
Admin Country:RU
Admin Phone:+7.380507797565
Admin Email:vasya-pupkin1122@rambler.ru
Tech ID:H4522634
Tech Name:Vasya Pupkin
Tech Organization:Private Person
Tech Street1:kfierikeoinoieno
Tech City:oieoipoik
Tech State/Province:chpikaepriekr
Tech Postal Code:34346
Tech Country:RU
Tech Phone:+7.380507797565
Tech Email:vasya-pupkin1122@rambler.ru
Billing ID:H4522637
Billing Name:Vasya Pupkin
Billing Organization:Private Person
Billing Street1:kfierikeoinoieno
Billing City:oieoipoik
Billing State/Province:chpikaepriekr
Billing Postal Code:34346
Billing Country:RU
Billing Phone:+7.380507797565
Billing Email:vasya-pupkin1122@rambler.ru
Sponsoring Registrar ID:H2440764
Sponsoring Registrar IANA ID:1606
Sponsoring Registrar Organization:Registrar of Domain Names REG.RU, LLC
Sponsoring Registrar Street1:Office 326, House 3 Vasily Petushkov Street
Sponsoring Registrar City:Moscow
Sponsoring Registrar Postal Code:125476
Sponsoring Registrar Country:RU
Sponsoring Registrar Phone:+74955801111
Sponsoring Registrar FAX:+74954915553
Sponsoring Registrar Website:http://www.reg.ru/
Name Server:NS1.UKRAINE.COM.UA
Name Server:NS2.UKRAINE.COM.UA
Name Server:NS3.UKRAINE.COM.UA
DNSSEC:Unsigned