Saturday, June 28, 2014

Domain: lalka.com.ru

Domain: lalka.com.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x054c414c && 0x2c&0xDFDFFFDF=0x4b410343 && 0x30&0xDFDFFFDF=0x4f4d0252 && 0x34&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|056c616c6b6103636f6d02727500|' -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.79.10.76

Response:


;; ANSWER SECTION:
lalka.com.ru. 600 IN SOA ns1.spaceweb.ru. dns1.sweb.ru. 2014052970 28800 7200 604800 600
lalka.com.ru. 600 IN NS ns2.spaceweb.ru.
lalka.com.ru. 600 IN NS ns1.spaceweb.ru.
lalka.com.ru. 600 IN A 77.222.56.62
lalka.com.ru. 600 IN MX 10 mx.asdgggggasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaiouuytsdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdhjhjhjasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasghghghdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdafgffsdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdfgfgfgasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd1.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd2.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd3.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd4.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd5.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd7.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdaghghghghsdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd10.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd11.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffagfhgfhfghsdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdashghgdfgdgdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd564.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasdjkj.com.
lalka.com.ru. 600 IN MX 20 mx2.spaceweb.ru.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaesdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasfdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasddasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdaccsdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdashhhhdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasjjjjdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdjjjjasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdgfffgasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15ER"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Gp"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15II"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15OO"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15SA"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15WW"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15YY"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdas"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15A"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Q"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15S"

A 4
MX 32
NS 2
SOA 1
TXT 12
Rsize 4155









Domain: bangtest.zong.co.ua

Domain: bangtest.zong.co.ua

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0842414e && 0x2c&0xDFDFDFDF=0x47544553 && 0x30&0xDFFFDFDF=0x54045a4f && 0x34&0xDFDFFFDF=0x4e470243 && 0x38&0xDFFFDFDF=0x4f025541 && 0x3c&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q bangtest.zong.co.ua"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 61 --algo bm --hex-string '|0862616e6774657374047a6f6e6702636f02756100|' -j DROP -m comment --comment "DROP DNS Q bangtest.zong.co.ua"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


204.124.183.210

Name server:


;; ANSWER SECTION:
zong.co.ua. 21599 IN NS ns1.reg.ru.
zong.co.ua. 21599 IN NS ns2.reg.ru.

Whois



Domain ID:589099_COUA-DRS
Domain Name:ZONG.CO.UA
Created On:07-Jan-2014 14:31:16 UTC
Last Updated On:04-Jun-2014 17:07:50 UTC
Expiration Date:07-Jan-2015 14:31:16 UTC
Sponsoring Registrar:Reg RU (reg-ru-mnt-cunic)
Status:ok
Registrant ID:O8402055-CUNIC
Registrant Name:
Registrant Organization:Private Person
Registrant Street1:
Registrant Street2:
Registrant Street3:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:+61.420500569
Registrant Fax:
Registrant Email:manlazy@hotmail.co.uk
Admin ID:A8402055-CUNIC
Admin Name:
Admin Organization:Private Person
Admin Street1:
Admin Street2:
Admin Street3:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:+61.420500569
Admin Fax:
Admin Email:manlazy@hotmail.co.uk
Billing ID:B8402055-CUNIC
Billing Name:
Billing Organization:Private Person
Billing Street1:
Billing Street2:
Billing Street3:
Billing City:
Billing State/Province:
Billing Postal Code:
Billing Country:
Billing Phone:+61.420500569
Billing Fax:
Billing Email:manlazy@hotmail.co.uk
Tech ID:T8402055-CUNIC
Tech Name:
Tech Organization:Private Person
Tech Street1:
Tech Street2:
Tech Street3:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country:
Tech Phone:+61.420500569
Tech Fax:
Tech Email:manlazy@hotmail.co.uk
Name Server:NS2.REG.RU
Name Server:NS1.REG.RU