Owen DeLong wrote:
On Feb 18, 2014, at 9:48 PM, Joe Maimon <jmaimon@ttec.com> wrote:
This assumes several facts not in evidence:
1. It is an attack. 2. It is deliberate 3. There is a target 4. It is more effective than others
On what do you base those assumptions? To me this looks to be far more likely to be someone’s wayward script, experiment, software, tool, etc. doing something it probably isn’t supposed to be doing.
I have found this occurring on unaffiliated open resolvers (that I happen to support and that I was able to make the choice to close) It has been ongoing for a week or so (but not constant). The domain names have a pattern but are comprised of components that appear to be randomly generated. The source IP addresses for the queries appear to be non duplicated and randomly generated. query logs are available for unicasting to the interested. Has nobody else seen this?
If it happens to also be gathering the answers or information that the author wants (or appears to be doing so), then the author may well be blissfully ignorant of its wayward behavior towards your servers.
Owen
I would like to figure out how. Joe