Home page logo
/

nanog logo nanog mailing list archives

Re: Tightened DNS security question re: DNS amplification attacks.
From: Graeme Fowler <graeme () graemef net>
Date: Wed, 28 Jan 2009 14:32:11 +0000

Hi

On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote:
At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98.
At 12:09:36 another new address 64.57.246.123 
At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like:
"pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it was back to 
just ask for the .NS records again.

Same here - times different, though, in that it appeared at 1120 UTC and
disappeared at 1159 UTC. There were 194 entries.

Every query was the same format - a 32-byte lower case alphanumeric
string, differing at the following positions marked with a period:

......aaaafw.0000d.aaabaaa......

I expect that others will have seen similar patterns with differing
fixed strings.  I'm also starting to wonder if this is something to with
the downadup/conficker worm, or another botnet.

Graeme



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]