North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DNS deluge for x.p.ctrc.cc
It may be coincidental, but TXT and ANY queries for this zone were the ones used in the multi-gigabit reflected dns DDOS against us earlier this month. Ejay Hire ISDN-Net Network Engineer > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Estes, Paul > Sent: Friday, February 24, 2006 11:26 AM > To: [email protected] > Subject: DNS deluge for x.p.ctrc.cc > > We have recently noticed a deluge of DNS requests for "ANY > ANY" records of x.p.ctrc.cc. The requests are coming from > thousands of sources, mostly our own customers. There are > currently no records for x.p.ctrc.cc, or even for p.ctrc.cc. > A google search for x.p.ctrc.cc comes up with only 2 hits. > One is a DNS log showing references to this name. The other > one shows that somebody else is seeing the same behavior as we are: > > > > http://weblog.barnet.com.au/edwin/cat_networking.html > > > > However, this site has the benefit or providing a history > that p.ctrc.cc had (a week ago) delegated NS record pointing > to 321blowjob.com. At that time, 321blowjob.com's nameserver > was responding with a TXT record for x.p.ctrc.cc. > > > > It would appear that ctrc.cc was the victim of some DNS > hijacking. Whatever malware is attempting to lookup this > name, however, is doing so at a horrific rate. I have some > addresses that have made >250000 requests for this name in a > short period of time. > > > > I was thinking that I could simply put an authoritative zone > for p.ctrc.cc in our nameservers and return something for the > lookups, however based on the writeup on the above mentions > blog, I am now not certain this will have any effect. As > you'll note, that individual had only 2 machines hitting his > name server, and even though a response was provided to the > lookup, the hosts continued to hammer his access link. > > > > When the lookup flood occurs, every host starts at the same > time, as can be seen on the graphs of traffic to and load of > our nameservers. It's all or nothing - the flood is either on > or off. There's no background trickle. > > > > Is anybody else seeing these events? > > > > --Paul > > > >
|