36088.info, 05930.info and other funny domains - accessed by thousands of hosts - botnet c&c?

[Péter Gervai]

Hello,

I see extreme amounts of traffic through the DNS of 36088.info (registered 4 days ago by anon) served by the same way registered 05930.info  ns farm, which distributes IP addresses of whatever it pleases, most probably kind of botnet.

Anyone seen their traffic? Which botnet is that?

The traffic is a bit extreme... infected ratio is above 2% of the total customers.

I have shut the domains down and will look for further funny named ones but wondering whether anyone seen it.

(Sample request by private email.)

Peter

[Johannes B. Ullrich Ph.D.]

These kind of look like DNS amplifier domains. They return about 4 kbytes of "A" records. So what you are seeing is people trying to use your DNS server as an amplifier.

Pretty much what we wrote about here:https://isc.sans.edu/diary/CSAM%3A+ANY+queries+used+in+reflective+DoS+attack/16757

> --
> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "SANS Internet Storm Center / DShield" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to iscdshield+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Don’t miss Cyber Defense Initiative 2013, December 12-19, in Washington DC! Choose from more than 25 hands-on infosec courses plus bonus sessions, vendor expo, and the most challenging NetWars competition of the year! http://www.sans.org/info/138305


Johannes B. Ullrich, Ph.D., GIAC GCIA & GWEB, SANS Technology Institute, (617) 571 1212, twitter: johullrich; http://isc.sans.edu

[Péter Gervai]

On Friday, October 11, 2013 2:25:25 PM UTC+2, Dr J. wrote:

These kind of look like DNS amplifier domains. They return about 4 kbytes of "A" records. So what you are seeing is people trying to use your DNS server as an amplifier.

Pretty much what we wrote about here:https://isc.sans.edu/diary/CSAM%3A+ANY+queries+used+in+reflective+DoS+attack/16757 

This is fine and dandy but there's one point which is not quite clear to me (to phrase it a funny way that what you have said may not apply).

DNS amplifiers used for DDoS return their (amplified) payload to one attacked site using either an authoritative server or more often an open resolver, by using a method as:

* send a small request using fake sender to the amplifier ns

* the amplifier(s) send large response(s) to the faked target

Now, there's two problem for me:

1) the requests come from customers, and the reply goes back to them. They are DoS'ing themselves (not really distributed if you attack yourself)

2) they are using their own designated resolver (it's not open)

[bonus) ingress filtering makes it impossible to have _their_ source faked]

So while I see the amplification I fail to see the point that people are instructed to DoS themselves. Or if it's about DoS'ing the resolver then it is a few magnitudes lower than would be even detectable.

Any more ideas?

g

[Johannes B. Ullrich Ph.D.]

The missing part is that the source for the request is spoofed during the DoS attack. So the response will go back to the spoofed source, which is the real victim here. Initially you may see a couple of "test" requests to check if your DNS server can be used as a recursive name server, and how much bandwidth it can provide.

So they will use an open resolver, spoof a query, and then the response will go to the victim. The authoritative server (in your case for 05930.info) will only see few of these requests as the first response from the authoritative name server will be cached by the open resolver.

[Daz B]

Bumping the thread... I'm also seeing the same activity on resolvers I manage. The volumes of queries for these domains far exceed any other domains being queried.

At present domain 57188.info is being queried, although it currently only resolves to a single IP. Previous domains have resolved to in excess of 300 IP addresses, suggesting some form of amplification attack.

All the following are related to this, these were all created on 8th October by a single registrar, and ahve been observed at some point in time since 11th October.

 

05930.info
10781.info
30259.info
36088.info
36372.info
37349.info
43614.info
53193.info
57188.info
59589.info
61727.info
67252.info
77741.info
88678.info
94185.info

 

If these queries are originating from multiple endpoints, I'd be interested in determining the cause.... malware?