We have recently noticed a deluge of DNS requests for "ANY ANY" records of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers. There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc. A google search for x.p.ctrc.cc comes up with only 2 hits. One is a DNS log showing references to this name. The other one shows that somebody else is seeing the same behavior as we are: http://weblog.barnet.com.au/edwin/cat_networking.html However, this site has the benefit or providing a history that p.ctrc.cc had (a week ago) delegated NS record pointing to 321blowjob.com. At that time, 321blowjob.com's nameserver was responding with a TXT record for x.p.ctrc.cc. It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some addresses that have made >250000 requests for this name in a short period of time. I was thinking that I could simply put an authoritative zone for p.ctrc.cc in our nameservers and return something for the lookups, however based on the writeup on the above mentions blog, I am now not certain this will have any effect. As you'll note, that individual had only 2 machines hitting his name server, and even though a response was provided to the lookup, the hosts continued to hammer his access link. When the lookup flood occurs, every host starts at the same time, as can be seen on the graphs of traffic to and load of our nameservers. It's all or nothing - the flood is either on or off. There's no background trickle. Is anybody else seeing these events? --Paul
other cctld servers have seen what are effectively ddos. rob thomas seems to have the most clue on this, so i hope this troll will entice him to speak. randy
On Fri, 24 Feb 2006, Estes, Paul wrote:
We have recently noticed a deluge of DNS requests for "ANY ANY" records
They are trying to abuse similar holes that caused most of us add "no ip redirects" and "no ip directed broadcast" to routers, but this time its about dns
of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers.
Why am I not surprised ....
There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc.
http://www.completewhois.com/cgi-bin/whois.cgi?query=28242102&options=retrieve I don't think this is a hacker-setup domain, probably their dns servers were at some point hacked. They are associated with legacy ip block 192.238.16.0/21. It is also notable that CTRC.CC A record points to 192.168.202.72
A google search for x.p.ctrc.cc comes up with only 2 hits. One is a DNS log showing references to this name. The other one shows that somebody else is seeing the same behavior as we are:
http://weblog.barnet.com.au/edwin/cat_networking.html
However, this site has the benefit or providing a history that p.ctrc.cc had (a week ago) delegated NS record pointing to 321blowjob.com. At that time, 321blowjob.com's nameserver was responding with a TXT record for x.p.ctrc.cc.
It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some addresses that have made >250000 requests for this name in a short period of time.
I was thinking that I could simply put an authoritative zone for p.ctrc.cc in our nameservers and return something for the lookups
You might want to consider returning the same thing in lookups as ctrc.cc themselves have for direct A lookups... ,
however based on the writeup on the above mentions blog, I am now not certain this will have any effect. As you'll note, that individual had only 2 machines hitting his name server, and even though a response was provided to the lookup, the hosts continued to hammer his access link.
When the lookup flood occurs, every host starts at the same time, as can be seen on the graphs of traffic to and load of our nameservers. It's all or nothing - the flood is either on or off. There's no background trickle.
Is anybody else seeing these events?
--Paul
It may be coincidental, but TXT and ANY queries for this zone were the ones used in the multi-gigabit reflected dns DDOS against us earlier this month. Ejay Hire ISDN-Net Network Engineer
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Estes, Paul Sent: Friday, February 24, 2006 11:26 AM To: nanog@merit.edu Subject: DNS deluge for x.p.ctrc.cc
We have recently noticed a deluge of DNS requests for "ANY
ANY" records of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers. There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc. A google search for x.p.ctrc.cc comes up with only 2 hits.
One is a DNS log showing references to this name. The other one shows that somebody else is seeing the same behavior as we are:
http://weblog.barnet.com.au/edwin/cat_networking.html
However, this site has the benefit or providing a history that p.ctrc.cc had (a week ago) delegated NS record pointing to 321blowjob.com. At that time, 321blowjob.com's nameserver was responding with a TXT record for x.p.ctrc.cc.
It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some
addresses that have made >250000 requests for this name in a short period of time.
I was thinking that I could simply put an authoritative zone for p.ctrc.cc in our nameservers and return something for the lookups, however based on the writeup on the above mentions blog, I am now not certain this will have any effect. As you'll note, that individual had only 2 machines hitting his name server, and even though a response was provided to the lookup, the hosts continued to hammer his access link.
When the lookup flood occurs, every host starts at the same time, as can be seen on the graphs of traffic to and load of our nameservers. It's all or nothing - the flood is either on or off. There's no background trickle.
Is anybody else seeing these events?
--Paul
On Feb 24, 2006, at 11:30 AM, Ejay Hire wrote:
It may be coincidental, but TXT and ANY queries for this zone were the ones used in the multi-gigabit reflected dns DDOS against us earlier this month.
this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. list details here if not already subscribed: http://lists.oarci.net/mailman/listinfo/ -b
this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. http://lists.oarci.net/mailman/listinfo/
i joined but have never seen a message on that list. and this discussion seems useful. maybe we should not do a gadi? randy
Randy Bush wrote:
this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. http://lists.oarci.net/mailman/listinfo/
i joined but have never seen a message on that list. and this discussion seems useful. maybe we should not do a gadi?
randy
Or a Randy. Oops, you just did.
On Feb 24, 2006, at 11:47 AM, Randy Bush wrote:
this would be a fine thread to discuss on dns-operations, which a bunch of you here have already joined. http://lists.oarci.net/mailman/listinfo/
i joined but have never seen a message on that list. and this discussion seems useful. maybe we should not do a gadi?
just a suggestion, but: http://lists.oarci.net/pipermail/dns-operations/2006-February/ 000005.html there has been one topical post (ignore a handful of test messages). -b
participants (6)
-
brett watson
-
Ejay Hire
-
Estes, Paul
-
Gadi Evron
-
Randy Bush
-
william(at)elan.net