Saturday, January 25, 2014

Domain: admin.gull.ca

Domain: admin.gull.ca

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0541444d && 0x2c&0xDFDFFFDF=0x494e0447 && 0x30&0xDFDFDFFF=0x554c4c02 && 0x34&0xDFDFFF00=0x43410000" -j DROP -m comment --comment "DROP DNS Q admin.gull.ca"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|0561646d696e0467756c6c02636100|' -j DROP -m comment --comment "DROP DNS Q admin.gull.ca"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


162.211.126.19

Name server:

gull.ca.                86400   IN      NS      ns4.i-mecca.net.
gull.ca.                86400   IN      NS      ns5.i-mecca.net.

Response:


TXT 16
Rsize 4024


Whois


Domain name:           gull.ca
Domain status:         registered
Creation date:         2000/12/30
Expiry date:           2015/12/30

Registrar:
    Name:              Can Reg (Infinet Communications Group Inc.)
    Number:            146

Name servers:
    ns4.i-mecca.net
    ns5.i-mecca.net




Friday, January 24, 2014

Domain: x.xipzersscc.com

Domain: x.xipzersscc.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01580a58 && 0x2c&0xDFDFDFDF=0x49505a45 && 0x30&0xDFDFDFDF=0x52535343 && 0x34&0xDFFFDFDF=0x4303434f && 0x38&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q x.xipzersscc.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|01780A7869707a65727373636303636f6d00|' -j DROP -m comment --comment "DROP DNS Q x.xipzersscc.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.93.83 -  Ecatel

Name server:

xipzersscc.com.         83259   IN      NS      dns1.xipzersscc.com.
xipzersscc.com.         83259   IN      NS      dns2.xipzersscc.com.

dns2.xipzersscc.com.    49168   IN      A       81.4.127.231 ~proserve
dns1.xipzersscc.com.    49174   IN      A       81.4.127.231 ~proserve

Response:


TXT 1
Rsize ??


Whois



The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: xipzersscc.com
Registry Domain ID: 1829670299_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2014-01-18T00:19:49Z
Creation Date: 2013-10-02T18:18:04Z
Registrar Registration Expiration Date: 2014-10-02T18:18:04Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller:
Domain Status: clientTransferProhibited
Domain Status:
Domain Status:
Domain Status:
Domain Status:
Registry Registrant ID:
Registrant Name: John Enhels
Registrant Organization:
Registrant Street: Enhelsa str.
Registrant City: Nikolayev
Registrant State/Province:
Registrant Postal Code: 54001
Registrant Country: UA
Registrant Phone: +380.631408690
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 9bc94a3beada01ccb905d70b6e04b536-1788120@contact.gandi.net
Registry Admin ID:
Admin Name: John Enhels
Admin Organization:
Admin Street: Enhelsa str.
Admin City: Nikolayev
Admin State/Province:
Admin Postal Code: 54001
Admin Country: UA
Admin Phone: +380.631408690
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 9bc94a3beada01ccb905d70b6e04b536-1788120@contact.gandi.net
Registry Tech ID:
Tech Name: John Enhels
Tech Organization:
Tech Street: Enhelsa str.
Tech City: Nikolayev
Tech State/Province:
Tech Postal Code: 54001
Tech Country: UA
Tech Phone: +380.631408690
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 9bc94a3beada01ccb905d70b6e04b536-1788120@contact.gandi.net
Name Server: DNS1.XIPZERSSCC.COM
Name Server: DNS2.XIPZERSSCC.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-24T10:54:07Z <<<



Friday, January 17, 2014

Domain: fkfkfkfa.co.uk

Domain: fkfkfkfa.co.uk

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08464b46 && 0x2c&0xDFDFDFDF=0x4b464b46 && 0x30&0xDFFFDFDF=0x4102434f && 0x34&0xFFDFDFFF=0x02554b00" -j DROP -m comment --comment "DROP DNS Q fkfkfkfa.co.uk"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|08666b666b666b666102636f02756b00|' -j DROP -m comment --comment "DROP DNS Q fkfkfkfa.co.uk"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.49.241

Name server:


;; ANSWER SECTION:
fkfkfkfa.co.uk. 21600 IN NS ns1.fkfkfkfa.co.uk.
fkfkfkfa.co.uk. 21600 IN NS ns2.fkfkfkfa.co.uk.


Response:


A 243
NS 2
SOA 1
Rsize 3976


Whois



Domain name:
fkfkfkfa.co.uk

Registrant:
PakGaming

Registrant type:
Non-UK Corporation

Registrant's address:
Lyari City, House No # 203
Karachi
Sindh
74552
Pakistan

Registrar:
eNom, Inc. [Tag = ENOM]
URL: http://www.enom.com

Relevant dates:
Registered on: 15-Jan-2014
Expiry date: 15-Jan-2015
Last updated: 15-Jan-2014

Registration status:
Registered until expiry date.

Name servers:
ns1.fkfkfkfa.co.uk 50.2.65.18
ns2.fkfkfkfa.co.uk 50.2.65.18

WHOIS lookup made at 23:24:12 17-Jan-2014

--
This WHOIS information is provided for free by Nominet UK the central registry
for .uk domain names. This information and the .uk WHOIS are:

Copyright Nominet UK 1996 - 2014.

You may not access the .uk WHOIS or use any data from it except as permitted
by the terms of use available in full at http://www.nominet.org.uk/whoisterms, which
includes restrictions on: (A) use of the data for advertising, or its
repackaging, recompilation, redistribution or reuse (B) obscuring, removing
or hiding any or all of this notice and (C) exceeding query rate or volume
limits. The data is provided on an 'as-is' basis and may lag behind the
register. Access may be withdrawn or restricted at any time.



Domain: kvfn.ru

Domain: kvfn.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044b5646 && 0x2c&0xDFFFDFDF=0x4e025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q kvfn.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|046b76666e02727500|' -j DROP -m comment --comment "DROP DNS Q kvfn.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.95.57

Name server:


;; ANSWER SECTION:
kvfn.ru. 20379 IN NS ns1.reg.ru.
kvfn.ru. 20379 IN NS ns2.reg.ru.


Response:


A 242
NS 2
SOA 1
Rsize 3968


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: KVFN.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.11.09
paid-till: 2014.11.09
free-date: 2014.12.10
source: TCI

Last updated on 2014.01.18 03:21:37 MSK




Wednesday, January 8, 2014

Domain: Zong.Zong.Co.Ua

Domain: zong.zong.co.ua

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x045a4f4e && 0x2c&0xDFFFDFDF=0x47045a4f && 0x30&0xDFDFFFDF=0x4e470243 && 0x34&0xDFFFDFDF=0x4f025541 && 0x38&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q zong.zong.co.ua"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|047a6f6e67047a6f6e6702636f02756100|' -j DROP -m comment --comment "DROP DNS Q zong.zong.co.ua"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:

zong.co.ua.             86400   IN      NS      ns1.reg.ru.
zong.co.ua.             86400   IN      NS      ns2.reg.ru.

Response:


A 242
Rsize 3905


Whois


Domain ID:589099_COUA-DRS
Domain Name:ZONG.CO.UA
Created On:07-Jan-2014 14:31:16 UTC
Last Updated On:07-Jan-2014 14:31:16 UTC
Expiration Date:07-Jan-2015 14:31:16 UTC
Sponsoring Registrar:Reg RU (reg-ru-mnt-cunic)
Status:ok
Registrant ID:O8402055-CUNIC
Registrant Name:<not disclosed>
Registrant Organization:Private Person
Registrant Street1:<not disclosed>
Registrant Street2:<not disclosed>
Registrant Street3:<not disclosed>
Registrant City:<not disclosed>
Registrant State/Province:<not disclosed>
Registrant Postal Code:<not disclosed>
Registrant Country:<not disclosed>
Registrant Phone:+61.420500569
Registrant Fax:
Registrant Email:manlazy@hotmail.co.uk
Admin ID:A8402055-CUNIC
Admin Name:<not disclosed>
Admin Organization:Private Person
Admin Street1:<not disclosed>
Admin Street2:<not disclosed>
Admin Street3:<not disclosed>
Admin City:<not disclosed>
Admin State/Province:<not disclosed>
Admin Postal Code:<not disclosed>
Admin Country:<not disclosed>
Admin Phone:+61.420500569
Admin Fax:
Admin Email:manlazy@hotmail.co.uk
Billing ID:B8402055-CUNIC
Billing Name:<not disclosed>
Billing Organization:Private Person
Billing Street1:<not disclosed>
Billing Street2:<not disclosed>
Billing Street3:<not disclosed>
Billing City:<not disclosed>
Billing State/Province:<not disclosed>
Billing Postal Code:<not disclosed>
Billing Country:<not disclosed>
Billing Phone:+61.420500569
Billing Fax:
Billing Email:manlazy@hotmail.co.uk
Tech ID:T8402055-CUNIC
Tech Name:<not disclosed>
Tech Organization:Private Person
Tech Street1:<not disclosed>
Tech Street2:<not disclosed>
Tech Street3:<not disclosed>
Tech City:<not disclosed>
Tech State/Province:<not disclosed>
Tech Postal Code:<not disclosed>
Tech Country:<not disclosed>
Tech Phone:+61.420500569
Tech Fax:
Tech Email:manlazy@hotmail.co.uk
Name Server:NS2.REG.RU
Name Server:NS1.REG.RU






Sunday, January 5, 2014

Domain: qww1.ru

Domain: qww1.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04515757 && 0x2c&0xFFFFDFDF=0x31025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q qww1.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|047177773102727500|' -j DROP -m comment --comment "DROP DNS Q qww1.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
qww1.ru. 21600 IN NS ns2.reg.ru.
qww1.ru. 21600 IN NS ns1.reg.ru.


Response:


A 242
NS 2
SOA 1
Rsize 3968


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: QWW1.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.01.04
paid-till: 2015.01.04
free-date: 2015.02.04
source: TCI

Last updated on 2014.01.05 20:41:34 MSK




Domain: pddos.com

Domain: pddos.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x05504444 && 0x2c&0xDFDFFFDF=0x4f530343 && 0x30&0xDFDFFF00=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q pddos.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|057064646f7303636f6d00|' -j DROP -m comment --comment "DROP DNS Q pddos.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
pddos.com. 600 IN NS ns1.spaceweb.ru.
pddos.com. 600 IN NS ns2.spaceweb.ru.


Response:


A 5
MX 43
NS 2
SOA 1
TXT 3
Rsize 3968


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: PDDOS.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.SPACEWEB.RU
Name Server: NS2.SPACEWEB.RU
Status: clientTransferProhibited
Updated Date: 04-jan-2014
Creation Date: 04-jan-2014
Expiration Date: 04-jan-2015

>>> Last update of whois database: Sun, 05 Jan 2014 16:42:37 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Registrant:
Burakosky Sergei Aleksandrovych mrinj@ya.ru +8.0504661325 +8.0504661325
SpaceWeb client
Petrozavodskii Str., 7
Harkov,n/a,RU 03119


Domain Name:pddos.com
Record last updated at
Record created on 1/4/2014
Record expired on 01/04/2015


Domain servers in listed order:
ns1.spaceweb.ru ns2.spaceweb.ru

Administrator:
Petrozavodskii Str., 7
Harkov
n/a,
RU
03119

name:(Burakosky Sergei Aleksandrovych)
mail:(mrinj@ya.ru) +8.0504661325
+8.0504661325
SpaceWeb client
Technical Contactor:
18 Tsvetochnaya str.
Saint-Petersburg
n/a,
RU
196084

name:(Igor Shakhbazyan)
mail:(domain.reg@sweb.ru) +7.8123341222
+7.8123341222
SpaceWeb JSC
Billing Contactor:
Petrozavodskii Str., 7
Harkov
n/a,
RU
03119

name:(Burakosky Sergei Aleksandrovych)
mail:(mrinj@ya.ru) +8.0504661325
+8.0504661325
SpaceWeb client

Registration Service Provider:
name: Spaceweb LLC
tel: +7.8123341222
fax: +7.8123341222
web:http://www.sweb.ru



Saturday, January 4, 2014

Domain: iri.so

Domain: iri.so

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03495249 && 0x2c&0xFFDFDFFF=0x02534f00" -j DROP -m comment --comment "DROP DNS Q iri.so"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 48 --algo bm --hex-string '|0369726902736f00|' -j DROP -m comment --comment "DROP DNS Q iri.so"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
iri.so. 600 IN NS ns1.spaceweb.ru.
iri.so. 600 IN NS ns2.spaceweb.ru.


Response:


A 5
MX 41
NS 3
SOA 1
TXT 3
Rsize 3968


Whois


This whois service is provided by GMO Registry and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) GMO Registry http://www.gmo-registry.com/en/

Domain ID:GMOREGISTRY-DO4238
Domain Name:IRI.SO
Created On:2013-07-10T05:38:55.0Z
Last Updated On:2013-09-25T10:13:18.0Z
Expiration Date:2014-07-10T23:59:59.0Z
Status:ok
Registrant ID:sub-708849
Registrant Name:Kanevsky Alexandr
Registrant Street1:Dniprovska Naberejna, 26
Registrant City:Kyiv
Registrant State/Province:Kievskaya
Registrant Postal Code:02000
Registrant Country:UA
Registrant Phone:+380.919028653
Registrant Email:vinject0@gmail.com
Admin ID:sub-708849
Admin Name:Kanevsky Alexandr
Admin Street1:Dniprovska Naberejna, 26
Admin City:Kyiv
Admin State/Province:Kievskaya
Admin Postal Code:02000
Admin Country:UA
Admin Phone:+380.919028653
Admin Email:vinject0@gmail.com
Tech ID:sub-708849
Tech Name:Kanevsky Alexandr
Tech Street1:Dniprovska Naberejna, 26
Tech City:Kyiv
Tech State/Province:Kievskaya
Tech Postal Code:02000
Tech Country:UA
Tech Phone:+380.919028653
Tech Email:vinject0@gmail.com
Billing ID:sub-708849
Billing Name:Kanevsky Alexandr
Billing Street1:Dniprovska Naberejna, 26
Billing City:Kyiv
Billing State/Province:Kievskaya
Billing Postal Code:02000
Billing Country:UA
Billing Phone:+380.919028653
Billing Email:vinject0@gmail.com
Sponsoring Registrar ID:subreg
Sponsoring Registrar Organization:Gransy s.r.o. d/b/a/ subreg.cz
Sponsoring Registrar Street1:Borivojova 35
Sponsoring Registrar City:Praha
Sponsoring Registrar Postal Code:135 00
Sponsoring Registrar Country:CZ
Sponsoring Registrar Phone:+420.420732954549
Name Server:NS1.SPACEWEB.RU
Name Server:NS2.SPACEWEB.RU
DNSSEC:Unsigned





Thursday, January 2, 2014

Domain: saveroads.ru

Domain: saveroads.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09534156 && 0x2c&0xDFDFDFDF=0x45524f41 && 0x30&0xDFDFFFDF=0x44530252 && 0x34&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q saveroads.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|0973617665726f61647302727500|' -j DROP -m comment --comment "DROP DNS Q saveroads.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


81.17.130.54 -  AS21500 TNS-AS Scientific Production Enterprise "Technaukservice" Ltd

Name server:


;; ANSWER SECTION:
saveroads.ru. 21600 IN NS ns1.reg.ru.
saveroads.ru. 21600 IN NS ns2.reg.ru.


Response:


A 241
NS 2
SOA 1
Rsize 3957


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: SAVEROADS.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.12.25
paid-till: 2014.12.25
free-date: 2015.01.25
source: TCI

Last updated on 2013.12.30 04:56:35 MSK