mailing list archives
RE: DNS deluge for x.p.ctrc.cc
From: "Ejay Hire" <ejay.hire () isdn net>
Date: Fri, 24 Feb 2006 12:30:29 -0600
It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.
ISDN-Net Network Engineer
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]
Behalf Of Estes, Paul
Sent: Friday, February 24, 2006 11:26 AM
To: nanog () merit edu
Subject: DNS deluge for x.p.ctrc.cc
We have recently noticed a deluge of DNS requests for "ANY
ANY" records of x.p.ctrc.cc. The requests are coming from
thousands of sources, mostly our own customers. There are
currently no records for x.p.ctrc.cc, or even for
A google search for x.p.ctrc.cc comes up with only 2 hits.
One is a DNS log showing references to this name. The
one shows that somebody else is seeing the same behavior
as we are:
However, this site has the benefit or providing a history
that p.ctrc.cc had (a week ago) delegated NS record
to 321blowjob.com. At that time, 321blowjob.com's
was responding with a TXT record for x.p.ctrc.cc.
It would appear that ctrc.cc was the victim of some DNS
hijacking. Whatever malware is attempting to lookup this
name, however, is doing so at a horrific rate. I have some
addresses that have made >250000 requests for this name in
short period of time.
I was thinking that I could simply put an authoritative
for p.ctrc.cc in our nameservers and return something for
lookups, however based on the writeup on the above
blog, I am now not certain this will have any effect. As
you'll note, that individual had only 2 machines hitting
name server, and even though a response was provided to
lookup, the hosts continued to hammer his access link.
When the lookup flood occurs, every host starts at the
time, as can be seen on the graphs of traffic to and load
our nameservers. It's all or nothing - the flood is either
or off. There's no background trickle.
Is anybody else seeing these events?