Home page logo

nanog logo nanog mailing list archives

RE: DNS deluge for x.p.ctrc.cc
From: "Ejay Hire" <ejay.hire () isdn net>
Date: Fri, 24 Feb 2006 12:30:29 -0600

It may be coincidental, but TXT and ANY queries for this
zone were the ones used in the multi-gigabit reflected dns
DDOS against us earlier this month.

Ejay Hire
ISDN-Net Network Engineer

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]
Behalf Of Estes, Paul
Sent: Friday, February 24, 2006 11:26 AM
To: nanog () merit edu
Subject: DNS deluge for x.p.ctrc.cc

We have recently noticed a deluge of DNS requests for "ANY

ANY" records of x.p.ctrc.cc. The requests are coming from 
thousands of sources, mostly our own customers. There are 
currently no records for x.p.ctrc.cc, or even for
A google search for x.p.ctrc.cc comes up with only 2 hits.

One is a DNS log showing references to this name. The
one shows that somebody else is seeing the same behavior
as we are:




However, this site has the benefit or providing a history 
that p.ctrc.cc had (a week ago) delegated NS record
to 321blowjob.com. At that time, 321blowjob.com's
was responding with a TXT record for x.p.ctrc.cc.


It would appear that ctrc.cc was the victim of some DNS 
hijacking. Whatever malware is attempting to lookup this 
name, however, is doing so at a horrific rate. I have some

addresses that have made >250000 requests for this name in
short period of time.


I was thinking that I could simply put an authoritative
for p.ctrc.cc in our nameservers and return something for
lookups, however based on the writeup on the above
blog, I am now not certain this will have any effect. As 
you'll note, that individual had only 2 machines hitting
name server, and even though a response was provided to
lookup, the hosts continued to hammer his access link.


When the lookup flood occurs, every host starts at the
time, as can be seen on the graphs of traffic to and load
our nameservers. It's all or nothing - the flood is either
or off. There's no background trickle.


Is anybody else seeing these events?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]