Home page logo
/

nanog logo nanog mailing list archives

RE: DNS deluge for x.p.ctrc.cc
From: "Ejay Hire" <ejay.hire () isdn net>
Date: Fri, 24 Feb 2006 12:30:29 -0600


It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.

Ejay Hire
ISDN-Net Network Engineer

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]
On 
Behalf Of Estes, Paul
Sent: Friday, February 24, 2006 11:26 AM
To: nanog () merit edu
Subject: DNS deluge for x.p.ctrc.cc

We have recently noticed a deluge of DNS requests for "ANY

ANY" records of x.p.ctrc.cc. The requests are coming from 
thousands of sources, mostly our own customers. There are 
currently no records for x.p.ctrc.cc, or even for
p.ctrc.cc. 
A google search for x.p.ctrc.cc comes up with only 2 hits.

One is a DNS log showing references to this name. The
other 
one shows that somebody else is seeing the same behavior
as we are:

 

http://weblog.barnet.com.au/edwin/cat_networking.html

 

However, this site has the benefit or providing a history 
that p.ctrc.cc had (a week ago) delegated NS record
pointing 
to 321blowjob.com. At that time, 321blowjob.com's
nameserver 
was responding with a TXT record for x.p.ctrc.cc.

 

It would appear that ctrc.cc was the victim of some DNS 
hijacking. Whatever malware is attempting to lookup this 
name, however, is doing so at a horrific rate. I have some

addresses that have made >250000 requests for this name in
a 
short period of time.

 

I was thinking that I could simply put an authoritative
zone 
for p.ctrc.cc in our nameservers and return something for
the 
lookups, however based on the writeup on the above
mentions 
blog, I am now not certain this will have any effect. As 
you'll note, that individual had only 2 machines hitting
his 
name server, and even though a response was provided to
the 
lookup, the hosts continued to hammer his access link.

 

When the lookup flood occurs, every host starts at the
same 
time, as can be seen on the graphs of traffic to and load
of 
our nameservers. It's all or nothing - the flood is either
on 
or off. There's no background trickle.

 

Is anybody else seeing these events?

 

--Paul

 




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault