Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)? -chris
On 9/23/2013 9:55 AM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
Maybe because of this mess? ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.3 <<>> @localhost d6991.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 256, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;d6991.com. IN A ;; ANSWER SECTION: d6991.com. 6000 IN A 121.100.153.100 d6991.com. 6000 IN A 121.100.153.101 d6991.com. 6000 IN A 121.100.153.102 d6991.com. 6000 IN A 121.100.153.103 d6991.com. 6000 IN A 121.100.153.104 d6991.com. 6000 IN A 121.100.153.105 d6991.com. 6000 IN A 121.100.153.106 d6991.com. 6000 IN A 121.100.153.107 d6991.com. 6000 IN A 121.100.153.108 d6991.com. 6000 IN A 121.100.153.109 d6991.com. 6000 IN A 121.100.153.110 d6991.com. 6000 IN A 121.100.153.111 d6991.com. 6000 IN A 121.100.153.112 d6991.com. 6000 IN A 121.100.153.113 d6991.com. 6000 IN A 121.100.153.114 d6991.com. 6000 IN A 121.100.153.115 d6991.com. 6000 IN A 121.100.153.116 d6991.com. 6000 IN A 121.100.153.117 d6991.com. 6000 IN A 121.100.153.118 d6991.com. 6000 IN A 121.100.153.119 d6991.com. 6000 IN A 121.100.153.120 d6991.com. 6000 IN A 121.100.153.121 d6991.com. 6000 IN A 121.100.153.122 d6991.com. 6000 IN A 121.100.153.123 d6991.com. 6000 IN A 121.100.153.124 d6991.com. 6000 IN A 121.100.153.125 d6991.com. 6000 IN A 121.100.153.126 d6991.com. 6000 IN A 121.100.153.127 d6991.com. 6000 IN A 121.100.153.128 d6991.com. 6000 IN A 121.100.153.129 d6991.com. 6000 IN A 121.100.153.130 d6991.com. 6000 IN A 121.100.153.131 d6991.com. 6000 IN A 121.100.153.132 d6991.com. 6000 IN A 121.100.153.133 d6991.com. 6000 IN A 121.100.153.134 d6991.com. 6000 IN A 121.100.153.135 d6991.com. 6000 IN A 121.100.153.136 d6991.com. 6000 IN A 121.100.153.137 d6991.com. 6000 IN A 121.100.153.138 d6991.com. 6000 IN A 121.100.153.139 d6991.com. 6000 IN A 121.100.153.140 d6991.com. 6000 IN A 121.100.153.141 d6991.com. 6000 IN A 121.100.153.142 d6991.com. 6000 IN A 121.100.153.143 d6991.com. 6000 IN A 121.100.153.144 d6991.com. 6000 IN A 121.100.153.145 d6991.com. 6000 IN A 121.100.153.146 d6991.com. 6000 IN A 121.100.153.147 d6991.com. 6000 IN A 121.100.153.148 d6991.com. 6000 IN A 121.100.153.149 d6991.com. 6000 IN A 121.100.153.150 d6991.com. 6000 IN A 121.100.153.151 d6991.com. 6000 IN A 121.100.153.152 d6991.com. 6000 IN A 121.100.153.153 d6991.com. 6000 IN A 121.100.153.154 d6991.com. 6000 IN A 121.100.153.155 d6991.com. 6000 IN A 121.100.153.156 d6991.com. 6000 IN A 121.100.153.157 d6991.com. 6000 IN A 121.100.153.158 d6991.com. 6000 IN A 121.100.153.159 d6991.com. 6000 IN A 121.100.153.160 d6991.com. 6000 IN A 121.100.153.161 d6991.com. 6000 IN A 121.100.153.162 d6991.com. 6000 IN A 121.100.153.163 d6991.com. 6000 IN A 121.100.153.164 d6991.com. 6000 IN A 121.100.153.165 d6991.com. 6000 IN A 121.100.153.166 d6991.com. 6000 IN A 121.100.153.167 d6991.com. 6000 IN A 121.100.153.168 d6991.com. 6000 IN A 121.100.153.169 d6991.com. 6000 IN A 121.100.153.170 d6991.com. 6000 IN A 121.100.153.171 d6991.com. 6000 IN A 121.100.153.172 d6991.com. 6000 IN A 121.100.153.173 d6991.com. 6000 IN A 121.100.153.174 d6991.com. 6000 IN A 121.100.153.175 d6991.com. 6000 IN A 121.100.153.176 d6991.com. 6000 IN A 121.100.153.177 d6991.com. 6000 IN A 121.100.153.178 d6991.com. 6000 IN A 121.100.153.179 d6991.com. 6000 IN A 121.100.153.180 d6991.com. 6000 IN A 121.100.153.181 d6991.com. 6000 IN A 121.100.153.182 d6991.com. 6000 IN A 121.100.153.183 d6991.com. 6000 IN A 121.100.153.184 d6991.com. 6000 IN A 121.100.153.185 d6991.com. 6000 IN A 121.100.153.186 d6991.com. 6000 IN A 121.100.153.187 d6991.com. 6000 IN A 121.100.153.188 d6991.com. 6000 IN A 121.100.153.189 d6991.com. 6000 IN A 121.100.153.190 d6991.com. 6000 IN A 121.100.153.191 d6991.com. 6000 IN A 121.100.153.192 d6991.com. 6000 IN A 121.100.153.193 d6991.com. 6000 IN A 121.100.153.194 d6991.com. 6000 IN A 121.100.153.195 d6991.com. 6000 IN A 121.100.153.196 d6991.com. 6000 IN A 121.100.153.197 d6991.com. 6000 IN A 121.100.153.198 d6991.com. 6000 IN A 121.100.153.199 d6991.com. 6000 IN A 121.100.153.200 d6991.com. 6000 IN A 121.100.152.100 d6991.com. 6000 IN A 121.100.152.101 d6991.com. 6000 IN A 121.100.152.102 d6991.com. 6000 IN A 121.100.152.103 d6991.com. 6000 IN A 121.100.152.104 d6991.com. 6000 IN A 121.100.152.105 d6991.com. 6000 IN A 121.100.152.106 d6991.com. 6000 IN A 121.100.152.107 d6991.com. 6000 IN A 121.100.152.108 d6991.com. 6000 IN A 121.100.152.109 d6991.com. 6000 IN A 121.100.152.110 d6991.com. 6000 IN A 121.100.152.111 d6991.com. 6000 IN A 121.100.152.112 d6991.com. 6000 IN A 121.100.152.113 d6991.com. 6000 IN A 121.100.152.114 d6991.com. 6000 IN A 121.100.152.115 d6991.com. 6000 IN A 121.100.152.116 d6991.com. 6000 IN A 121.100.152.117 d6991.com. 6000 IN A 121.100.152.118 d6991.com. 6000 IN A 121.100.152.119 d6991.com. 6000 IN A 121.100.152.120 d6991.com. 6000 IN A 121.100.152.121 d6991.com. 6000 IN A 121.100.152.122 d6991.com. 6000 IN A 121.100.152.123 d6991.com. 6000 IN A 121.100.152.124 d6991.com. 6000 IN A 121.100.152.125 d6991.com. 6000 IN A 121.100.152.126 d6991.com. 6000 IN A 121.100.152.127 d6991.com. 6000 IN A 121.100.152.128 d6991.com. 6000 IN A 121.100.152.129 d6991.com. 6000 IN A 121.100.152.130 d6991.com. 6000 IN A 121.100.152.131 d6991.com. 6000 IN A 121.100.152.132 d6991.com. 6000 IN A 121.100.152.133 d6991.com. 6000 IN A 121.100.152.134 d6991.com. 6000 IN A 121.100.152.135 d6991.com. 6000 IN A 121.100.152.136 d6991.com. 6000 IN A 121.100.152.137 d6991.com. 6000 IN A 121.100.152.138 d6991.com. 6000 IN A 121.100.152.139 d6991.com. 6000 IN A 121.100.152.140 d6991.com. 6000 IN A 121.100.152.141 d6991.com. 6000 IN A 121.100.152.142 d6991.com. 6000 IN A 121.100.152.143 d6991.com. 6000 IN A 121.100.152.144 d6991.com. 6000 IN A 121.100.152.145 d6991.com. 6000 IN A 121.100.152.146 d6991.com. 6000 IN A 121.100.152.147 d6991.com. 6000 IN A 121.100.152.148 d6991.com. 6000 IN A 121.100.152.149 d6991.com. 6000 IN A 121.100.152.150 d6991.com. 6000 IN A 121.100.152.151 d6991.com. 6000 IN A 121.100.152.152 d6991.com. 6000 IN A 121.100.152.153 d6991.com. 6000 IN A 121.100.152.154 d6991.com. 6000 IN A 121.100.152.155 d6991.com. 6000 IN A 121.100.152.156 d6991.com. 6000 IN A 121.100.152.157 d6991.com. 6000 IN A 121.100.152.158 d6991.com. 6000 IN A 121.100.152.159 d6991.com. 6000 IN A 121.100.152.160 d6991.com. 6000 IN A 121.100.152.161 d6991.com. 6000 IN A 121.100.152.162 d6991.com. 6000 IN A 121.100.152.163 d6991.com. 6000 IN A 121.100.152.164 d6991.com. 6000 IN A 121.100.152.165 d6991.com. 6000 IN A 121.100.152.166 d6991.com. 6000 IN A 121.100.152.167 d6991.com. 6000 IN A 121.100.152.168 d6991.com. 6000 IN A 121.100.152.169 d6991.com. 6000 IN A 121.100.152.170 d6991.com. 6000 IN A 121.100.152.171 d6991.com. 6000 IN A 121.100.152.172 d6991.com. 6000 IN A 121.100.152.173 d6991.com. 6000 IN A 121.100.152.174 d6991.com. 6000 IN A 121.100.152.175 d6991.com. 6000 IN A 121.100.152.176 d6991.com. 6000 IN A 121.100.152.177 d6991.com. 6000 IN A 121.100.152.178 d6991.com. 6000 IN A 121.100.152.179 d6991.com. 6000 IN A 121.100.152.180 d6991.com. 6000 IN A 121.100.152.181 d6991.com. 6000 IN A 121.100.152.182 d6991.com. 6000 IN A 121.100.152.183 d6991.com. 6000 IN A 121.100.152.184 d6991.com. 6000 IN A 121.100.152.185 d6991.com. 6000 IN A 121.100.152.186 d6991.com. 6000 IN A 121.100.152.187 d6991.com. 6000 IN A 121.100.152.188 d6991.com. 6000 IN A 121.100.152.189 d6991.com. 6000 IN A 121.100.152.190 d6991.com. 6000 IN A 121.100.152.191 d6991.com. 6000 IN A 121.100.152.192 d6991.com. 6000 IN A 121.100.152.193 d6991.com. 6000 IN A 121.100.152.194 d6991.com. 6000 IN A 121.100.152.195 d6991.com. 6000 IN A 121.100.152.196 d6991.com. 6000 IN A 121.100.152.197 d6991.com. 6000 IN A 121.100.152.198 d6991.com. 6000 IN A 121.100.152.199 d6991.com. 6000 IN A 121.100.152.200 d6991.com. 6000 IN A 121.100.152.201 d6991.com. 6000 IN A 121.100.152.202 d6991.com. 6000 IN A 121.100.152.203 d6991.com. 6000 IN A 121.100.152.204 d6991.com. 6000 IN A 121.100.152.205 d6991.com. 6000 IN A 121.100.152.206 d6991.com. 6000 IN A 121.100.152.207 d6991.com. 6000 IN A 121.100.152.208 d6991.com. 6000 IN A 121.100.152.209 d6991.com. 6000 IN A 121.100.152.210 d6991.com. 6000 IN A 121.100.152.211 d6991.com. 6000 IN A 121.100.152.212 d6991.com. 6000 IN A 121.100.152.213 d6991.com. 6000 IN A 121.100.152.214 d6991.com. 6000 IN A 121.100.152.215 d6991.com. 6000 IN A 121.100.152.216 d6991.com. 6000 IN A 121.100.152.217 d6991.com. 6000 IN A 121.100.152.218 d6991.com. 6000 IN A 121.100.152.219 d6991.com. 6000 IN A 121.100.152.220 d6991.com. 6000 IN A 121.100.152.221 d6991.com. 6000 IN A 121.100.152.222 d6991.com. 6000 IN A 121.100.152.223 d6991.com. 6000 IN A 121.100.152.224 d6991.com. 6000 IN A 121.100.152.225 d6991.com. 6000 IN A 121.100.152.226 d6991.com. 6000 IN A 121.100.152.227 d6991.com. 6000 IN A 121.100.152.228 d6991.com. 6000 IN A 121.100.152.229 d6991.com. 6000 IN A 121.100.152.230 d6991.com. 6000 IN A 121.100.152.231 d6991.com. 6000 IN A 121.100.152.232 d6991.com. 6000 IN A 121.100.152.233 d6991.com. 6000 IN A 121.100.152.234 d6991.com. 6000 IN A 121.100.152.235 d6991.com. 6000 IN A 121.100.152.236 d6991.com. 6000 IN A 121.100.152.237 d6991.com. 6000 IN A 121.100.152.238 d6991.com. 6000 IN A 121.100.152.239 d6991.com. 6000 IN A 121.100.152.240 d6991.com. 6000 IN A 121.100.152.241 d6991.com. 6000 IN A 121.100.152.242 d6991.com. 6000 IN A 121.100.152.243 d6991.com. 6000 IN A 121.100.152.244 d6991.com. 6000 IN A 121.100.152.245 d6991.com. 6000 IN A 121.100.152.246 d6991.com. 6000 IN A 121.100.152.247 d6991.com. 6000 IN A 121.100.152.248 d6991.com. 6000 IN A 121.100.152.249 d6991.com. 6000 IN A 121.100.152.250 d6991.com. 6000 IN A 121.100.152.251 d6991.com. 6000 IN A 121.100.152.252 d6991.com. 6000 IN A 121.100.152.253 d6991.com. 6000 IN A 121.100.152.254 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Sep 23 19:06:40 2013 ;; MSG SIZE rcvd: 4123 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '121.100.128.0 - 121.100.191.255' inetnum: 121.100.128.0 - 121.100.191.255 netname: YanYang-network descr: Beijing Yan Yang Century Science & Technology Co., LTD descr: 9-605 Xuhuiaodu, Lishuiqiao south, Chaoyang District, Beijing country: CN admin-c: ZM675-AP tech-c: ZM676-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: ipas@cnnic.net 20110610 source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.cn 20110428 source: APNIC person: Yanqing Xiao address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18600090096 fax-no: +86-010- 59456518 e-mail: xiaoyanqingvp@126.com nic-hdl: ZM675-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC person: Jian Zhou address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18611086106 fax-no: +86-010- 59456518 e-mail: sxbjzj@163.com nic-hdl: ZM676-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC % Information related to '121.100.128.0/19AS4837' route: 121.100.128.0/19 descr: CNC Group CHINA169 Shan1xi Province Network descr: Addresses from CNNIC country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060926 source: APNIC % This query was served by the APNIC Whois Service version 1.68 (WHOIS3) - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
That is a problem, but I'm seeing a lot of queries from residential users for what seems to me an obscure name hostied in Asia. I'm guessing some kind of bot traffic... -chris On 9/23/2013 10:09 AM, Paul Ferguson wrote:
On 9/23/2013 9:55 AM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
Maybe because of this mess?
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.3 <<>> @localhost d6991.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 256, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;d6991.com. IN A
;; ANSWER SECTION: d6991.com. 6000 IN A 121.100.153.100 d6991.com. 6000 IN A 121.100.153.101 d6991.com. 6000 IN A 121.100.153.102 d6991.com. 6000 IN A 121.100.153.103 d6991.com. 6000 IN A 121.100.153.104 d6991.com. 6000 IN A 121.100.153.105 d6991.com. 6000 IN A 121.100.153.106 d6991.com. 6000 IN A 121.100.153.107 d6991.com. 6000 IN A 121.100.153.108 d6991.com. 6000 IN A 121.100.153.109 d6991.com. 6000 IN A 121.100.153.110 d6991.com. 6000 IN A 121.100.153.111 d6991.com. 6000 IN A 121.100.153.112 d6991.com. 6000 IN A 121.100.153.113 d6991.com. 6000 IN A 121.100.153.114 d6991.com. 6000 IN A 121.100.153.115 d6991.com. 6000 IN A 121.100.153.116 d6991.com. 6000 IN A 121.100.153.117 d6991.com. 6000 IN A 121.100.153.118 d6991.com. 6000 IN A 121.100.153.119 d6991.com. 6000 IN A 121.100.153.120 d6991.com. 6000 IN A 121.100.153.121 d6991.com. 6000 IN A 121.100.153.122 d6991.com. 6000 IN A 121.100.153.123 d6991.com. 6000 IN A 121.100.153.124 d6991.com. 6000 IN A 121.100.153.125 d6991.com. 6000 IN A 121.100.153.126 d6991.com. 6000 IN A 121.100.153.127 d6991.com. 6000 IN A 121.100.153.128 d6991.com. 6000 IN A 121.100.153.129 d6991.com. 6000 IN A 121.100.153.130 d6991.com. 6000 IN A 121.100.153.131 d6991.com. 6000 IN A 121.100.153.132 d6991.com. 6000 IN A 121.100.153.133 d6991.com. 6000 IN A 121.100.153.134 d6991.com. 6000 IN A 121.100.153.135 d6991.com. 6000 IN A 121.100.153.136 d6991.com. 6000 IN A 121.100.153.137 d6991.com. 6000 IN A 121.100.153.138 d6991.com. 6000 IN A 121.100.153.139 d6991.com. 6000 IN A 121.100.153.140 d6991.com. 6000 IN A 121.100.153.141 d6991.com. 6000 IN A 121.100.153.142 d6991.com. 6000 IN A 121.100.153.143 d6991.com. 6000 IN A 121.100.153.144 d6991.com. 6000 IN A 121.100.153.145 d6991.com. 6000 IN A 121.100.153.146 d6991.com. 6000 IN A 121.100.153.147 d6991.com. 6000 IN A 121.100.153.148 d6991.com. 6000 IN A 121.100.153.149 d6991.com. 6000 IN A 121.100.153.150 d6991.com. 6000 IN A 121.100.153.151 d6991.com. 6000 IN A 121.100.153.152 d6991.com. 6000 IN A 121.100.153.153 d6991.com. 6000 IN A 121.100.153.154 d6991.com. 6000 IN A 121.100.153.155 d6991.com. 6000 IN A 121.100.153.156 d6991.com. 6000 IN A 121.100.153.157 d6991.com. 6000 IN A 121.100.153.158 d6991.com. 6000 IN A 121.100.153.159 d6991.com. 6000 IN A 121.100.153.160 d6991.com. 6000 IN A 121.100.153.161 d6991.com. 6000 IN A 121.100.153.162 d6991.com. 6000 IN A 121.100.153.163 d6991.com. 6000 IN A 121.100.153.164 d6991.com. 6000 IN A 121.100.153.165 d6991.com. 6000 IN A 121.100.153.166 d6991.com. 6000 IN A 121.100.153.167 d6991.com. 6000 IN A 121.100.153.168 d6991.com. 6000 IN A 121.100.153.169 d6991.com. 6000 IN A 121.100.153.170 d6991.com. 6000 IN A 121.100.153.171 d6991.com. 6000 IN A 121.100.153.172 d6991.com. 6000 IN A 121.100.153.173 d6991.com. 6000 IN A 121.100.153.174 d6991.com. 6000 IN A 121.100.153.175 d6991.com. 6000 IN A 121.100.153.176 d6991.com. 6000 IN A 121.100.153.177 d6991.com. 6000 IN A 121.100.153.178 d6991.com. 6000 IN A 121.100.153.179 d6991.com. 6000 IN A 121.100.153.180 d6991.com. 6000 IN A 121.100.153.181 d6991.com. 6000 IN A 121.100.153.182 d6991.com. 6000 IN A 121.100.153.183 d6991.com. 6000 IN A 121.100.153.184 d6991.com. 6000 IN A 121.100.153.185 d6991.com. 6000 IN A 121.100.153.186 d6991.com. 6000 IN A 121.100.153.187 d6991.com. 6000 IN A 121.100.153.188 d6991.com. 6000 IN A 121.100.153.189 d6991.com. 6000 IN A 121.100.153.190 d6991.com. 6000 IN A 121.100.153.191 d6991.com. 6000 IN A 121.100.153.192 d6991.com. 6000 IN A 121.100.153.193 d6991.com. 6000 IN A 121.100.153.194 d6991.com. 6000 IN A 121.100.153.195 d6991.com. 6000 IN A 121.100.153.196 d6991.com. 6000 IN A 121.100.153.197 d6991.com. 6000 IN A 121.100.153.198 d6991.com. 6000 IN A 121.100.153.199 d6991.com. 6000 IN A 121.100.153.200 d6991.com. 6000 IN A 121.100.152.100 d6991.com. 6000 IN A 121.100.152.101 d6991.com. 6000 IN A 121.100.152.102 d6991.com. 6000 IN A 121.100.152.103 d6991.com. 6000 IN A 121.100.152.104 d6991.com. 6000 IN A 121.100.152.105 d6991.com. 6000 IN A 121.100.152.106 d6991.com. 6000 IN A 121.100.152.107 d6991.com. 6000 IN A 121.100.152.108 d6991.com. 6000 IN A 121.100.152.109 d6991.com. 6000 IN A 121.100.152.110 d6991.com. 6000 IN A 121.100.152.111 d6991.com. 6000 IN A 121.100.152.112 d6991.com. 6000 IN A 121.100.152.113 d6991.com. 6000 IN A 121.100.152.114 d6991.com. 6000 IN A 121.100.152.115 d6991.com. 6000 IN A 121.100.152.116 d6991.com. 6000 IN A 121.100.152.117 d6991.com. 6000 IN A 121.100.152.118 d6991.com. 6000 IN A 121.100.152.119 d6991.com. 6000 IN A 121.100.152.120 d6991.com. 6000 IN A 121.100.152.121 d6991.com. 6000 IN A 121.100.152.122 d6991.com. 6000 IN A 121.100.152.123 d6991.com. 6000 IN A 121.100.152.124 d6991.com. 6000 IN A 121.100.152.125 d6991.com. 6000 IN A 121.100.152.126 d6991.com. 6000 IN A 121.100.152.127 d6991.com. 6000 IN A 121.100.152.128 d6991.com. 6000 IN A 121.100.152.129 d6991.com. 6000 IN A 121.100.152.130 d6991.com. 6000 IN A 121.100.152.131 d6991.com. 6000 IN A 121.100.152.132 d6991.com. 6000 IN A 121.100.152.133 d6991.com. 6000 IN A 121.100.152.134 d6991.com. 6000 IN A 121.100.152.135 d6991.com. 6000 IN A 121.100.152.136 d6991.com. 6000 IN A 121.100.152.137 d6991.com. 6000 IN A 121.100.152.138 d6991.com. 6000 IN A 121.100.152.139 d6991.com. 6000 IN A 121.100.152.140 d6991.com. 6000 IN A 121.100.152.141 d6991.com. 6000 IN A 121.100.152.142 d6991.com. 6000 IN A 121.100.152.143 d6991.com. 6000 IN A 121.100.152.144 d6991.com. 6000 IN A 121.100.152.145 d6991.com. 6000 IN A 121.100.152.146 d6991.com. 6000 IN A 121.100.152.147 d6991.com. 6000 IN A 121.100.152.148 d6991.com. 6000 IN A 121.100.152.149 d6991.com. 6000 IN A 121.100.152.150 d6991.com. 6000 IN A 121.100.152.151 d6991.com. 6000 IN A 121.100.152.152 d6991.com. 6000 IN A 121.100.152.153 d6991.com. 6000 IN A 121.100.152.154 d6991.com. 6000 IN A 121.100.152.155 d6991.com. 6000 IN A 121.100.152.156 d6991.com. 6000 IN A 121.100.152.157 d6991.com. 6000 IN A 121.100.152.158 d6991.com. 6000 IN A 121.100.152.159 d6991.com. 6000 IN A 121.100.152.160 d6991.com. 6000 IN A 121.100.152.161 d6991.com. 6000 IN A 121.100.152.162 d6991.com. 6000 IN A 121.100.152.163 d6991.com. 6000 IN A 121.100.152.164 d6991.com. 6000 IN A 121.100.152.165 d6991.com. 6000 IN A 121.100.152.166 d6991.com. 6000 IN A 121.100.152.167 d6991.com. 6000 IN A 121.100.152.168 d6991.com. 6000 IN A 121.100.152.169 d6991.com. 6000 IN A 121.100.152.170 d6991.com. 6000 IN A 121.100.152.171 d6991.com. 6000 IN A 121.100.152.172 d6991.com. 6000 IN A 121.100.152.173 d6991.com. 6000 IN A 121.100.152.174 d6991.com. 6000 IN A 121.100.152.175 d6991.com. 6000 IN A 121.100.152.176 d6991.com. 6000 IN A 121.100.152.177 d6991.com. 6000 IN A 121.100.152.178 d6991.com. 6000 IN A 121.100.152.179 d6991.com. 6000 IN A 121.100.152.180 d6991.com. 6000 IN A 121.100.152.181 d6991.com. 6000 IN A 121.100.152.182 d6991.com. 6000 IN A 121.100.152.183 d6991.com. 6000 IN A 121.100.152.184 d6991.com. 6000 IN A 121.100.152.185 d6991.com. 6000 IN A 121.100.152.186 d6991.com. 6000 IN A 121.100.152.187 d6991.com. 6000 IN A 121.100.152.188 d6991.com. 6000 IN A 121.100.152.189 d6991.com. 6000 IN A 121.100.152.190 d6991.com. 6000 IN A 121.100.152.191 d6991.com. 6000 IN A 121.100.152.192 d6991.com. 6000 IN A 121.100.152.193 d6991.com. 6000 IN A 121.100.152.194 d6991.com. 6000 IN A 121.100.152.195 d6991.com. 6000 IN A 121.100.152.196 d6991.com. 6000 IN A 121.100.152.197 d6991.com. 6000 IN A 121.100.152.198 d6991.com. 6000 IN A 121.100.152.199 d6991.com. 6000 IN A 121.100.152.200 d6991.com. 6000 IN A 121.100.152.201 d6991.com. 6000 IN A 121.100.152.202 d6991.com. 6000 IN A 121.100.152.203 d6991.com. 6000 IN A 121.100.152.204 d6991.com. 6000 IN A 121.100.152.205 d6991.com. 6000 IN A 121.100.152.206 d6991.com. 6000 IN A 121.100.152.207 d6991.com. 6000 IN A 121.100.152.208 d6991.com. 6000 IN A 121.100.152.209 d6991.com. 6000 IN A 121.100.152.210 d6991.com. 6000 IN A 121.100.152.211 d6991.com. 6000 IN A 121.100.152.212 d6991.com. 6000 IN A 121.100.152.213 d6991.com. 6000 IN A 121.100.152.214 d6991.com. 6000 IN A 121.100.152.215 d6991.com. 6000 IN A 121.100.152.216 d6991.com. 6000 IN A 121.100.152.217 d6991.com. 6000 IN A 121.100.152.218 d6991.com. 6000 IN A 121.100.152.219 d6991.com. 6000 IN A 121.100.152.220 d6991.com. 6000 IN A 121.100.152.221 d6991.com. 6000 IN A 121.100.152.222 d6991.com. 6000 IN A 121.100.152.223 d6991.com. 6000 IN A 121.100.152.224 d6991.com. 6000 IN A 121.100.152.225 d6991.com. 6000 IN A 121.100.152.226 d6991.com. 6000 IN A 121.100.152.227 d6991.com. 6000 IN A 121.100.152.228 d6991.com. 6000 IN A 121.100.152.229 d6991.com. 6000 IN A 121.100.152.230 d6991.com. 6000 IN A 121.100.152.231 d6991.com. 6000 IN A 121.100.152.232 d6991.com. 6000 IN A 121.100.152.233 d6991.com. 6000 IN A 121.100.152.234 d6991.com. 6000 IN A 121.100.152.235 d6991.com. 6000 IN A 121.100.152.236 d6991.com. 6000 IN A 121.100.152.237 d6991.com. 6000 IN A 121.100.152.238 d6991.com. 6000 IN A 121.100.152.239 d6991.com. 6000 IN A 121.100.152.240 d6991.com. 6000 IN A 121.100.152.241 d6991.com. 6000 IN A 121.100.152.242 d6991.com. 6000 IN A 121.100.152.243 d6991.com. 6000 IN A 121.100.152.244 d6991.com. 6000 IN A 121.100.152.245 d6991.com. 6000 IN A 121.100.152.246 d6991.com. 6000 IN A 121.100.152.247 d6991.com. 6000 IN A 121.100.152.248 d6991.com. 6000 IN A 121.100.152.249 d6991.com. 6000 IN A 121.100.152.250 d6991.com. 6000 IN A 121.100.152.251 d6991.com. 6000 IN A 121.100.152.252 d6991.com. 6000 IN A 121.100.152.253 d6991.com. 6000 IN A 121.100.152.254
;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Sep 23 19:06:40 2013 ;; MSG SIZE rcvd: 4123
% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '121.100.128.0 - 121.100.191.255'
inetnum: 121.100.128.0 - 121.100.191.255 netname: YanYang-network descr: Beijing Yan Yang Century Science & Technology Co., LTD descr: 9-605 Xuhuiaodu, Lishuiqiao south, Chaoyang District, Beijing country: CN admin-c: ZM675-AP tech-c: ZM676-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: ipas@cnnic.net 20110610 source: APNIC
irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.cn 20110428 source: APNIC
person: Yanqing Xiao address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18600090096 fax-no: +86-010- 59456518 e-mail: xiaoyanqingvp@126.com nic-hdl: ZM675-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC
person: Jian Zhou address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18611086106 fax-no: +86-010- 59456518 e-mail: sxbjzj@163.com nic-hdl: ZM676-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC
% Information related to '121.100.128.0/19AS4837'
route: 121.100.128.0/19 descr: CNC Group CHINA169 Shan1xi Province Network descr: Addresses from CNNIC country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060926 source: APNIC
% This query was served by the APNIC Whois Service version 1.68 (WHOIS3)
- ferg
On Sep 24, 2013, at 12:11 AM, Chris Hunt wrote:
That is a problem, but I'm seeing a lot of queries from residential users for what seems to me an obscure name hostied in Asia. I'm guessing some kind of bot traffic...
They may be open recursors being leveraged for DNS reflection/amplification DDoS (many CPE devices are broken this way). Check some of the CPEs to see if they're open recursors: <http://openresolverproject.org/> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Once upon a time, Chris Hunt <dharmachris@gmail.com> said:
That is a problem, but I'm seeing a lot of queries from residential users for what seems to me an obscure name hostied in Asia. I'm guessing some kind of bot traffic...
Any of the affected users have open resolvers (on DSL routers for example)? -- Chris Adams <cma@cmadams.net>
On Sep 23, 2013, at 1:25 PM, Chris Adams <cma@cmadams.net> wrote:
Once upon a time, Chris Hunt <dharmachris@gmail.com> said:
That is a problem, but I'm seeing a lot of queries from residential users for what seems to me an obscure name hostied in Asia. I'm guessing some kind of bot traffic...
Any of the affected users have open resolvers (on DSL routers for example)?
I've heard estimates (from others that have looked at the OpenResovlerProject.org data) around 90% of resolvers are CPE devices that respond to queries on the WAN interface. - Jared
Well, There is a lot of those popping up in the past 6 months. I'm still running bindguard 0.71 and caught about 1300 targets of reflection DDoS in the past 24h. Beside using ". IN ANY" a lot are using "isc.org IN ANY" and some more that I won't list here =D Which should be pretty easy to track down the domain build for the purpose of DNS DDoS, Just saying... ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 09/23/13 13:09, Paul Ferguson wrote:
On 9/23/2013 9:55 AM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
Maybe because of this mess?
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.3 <<>> @localhost d6991.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 256, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;d6991.com. IN A
;; ANSWER SECTION: d6991.com. 6000 IN A 121.100.153.100 d6991.com. 6000 IN A 121.100.153.101 d6991.com. 6000 IN A 121.100.153.102 d6991.com. 6000 IN A 121.100.153.103 d6991.com. 6000 IN A 121.100.153.104 d6991.com. 6000 IN A 121.100.153.105 d6991.com. 6000 IN A 121.100.153.106 d6991.com. 6000 IN A 121.100.153.107 d6991.com. 6000 IN A 121.100.153.108 d6991.com. 6000 IN A 121.100.153.109 d6991.com. 6000 IN A 121.100.153.110 d6991.com. 6000 IN A 121.100.153.111 d6991.com. 6000 IN A 121.100.153.112 d6991.com. 6000 IN A 121.100.153.113 d6991.com. 6000 IN A 121.100.153.114 d6991.com. 6000 IN A 121.100.153.115 d6991.com. 6000 IN A 121.100.153.116 d6991.com. 6000 IN A 121.100.153.117 d6991.com. 6000 IN A 121.100.153.118 d6991.com. 6000 IN A 121.100.153.119 d6991.com. 6000 IN A 121.100.153.120 d6991.com. 6000 IN A 121.100.153.121 d6991.com. 6000 IN A 121.100.153.122 d6991.com. 6000 IN A 121.100.153.123 d6991.com. 6000 IN A 121.100.153.124 d6991.com. 6000 IN A 121.100.153.125 d6991.com. 6000 IN A 121.100.153.126 d6991.com. 6000 IN A 121.100.153.127 d6991.com. 6000 IN A 121.100.153.128 d6991.com. 6000 IN A 121.100.153.129 d6991.com. 6000 IN A 121.100.153.130 d6991.com. 6000 IN A 121.100.153.131 d6991.com. 6000 IN A 121.100.153.132 d6991.com. 6000 IN A 121.100.153.133 d6991.com. 6000 IN A 121.100.153.134 d6991.com. 6000 IN A 121.100.153.135 d6991.com. 6000 IN A 121.100.153.136 d6991.com. 6000 IN A 121.100.153.137 d6991.com. 6000 IN A 121.100.153.138 d6991.com. 6000 IN A 121.100.153.139 d6991.com. 6000 IN A 121.100.153.140 d6991.com. 6000 IN A 121.100.153.141 d6991.com. 6000 IN A 121.100.153.142 d6991.com. 6000 IN A 121.100.153.143 d6991.com. 6000 IN A 121.100.153.144 d6991.com. 6000 IN A 121.100.153.145 d6991.com. 6000 IN A 121.100.153.146 d6991.com. 6000 IN A 121.100.153.147 d6991.com. 6000 IN A 121.100.153.148 d6991.com. 6000 IN A 121.100.153.149 d6991.com. 6000 IN A 121.100.153.150 d6991.com. 6000 IN A 121.100.153.151 d6991.com. 6000 IN A 121.100.153.152 d6991.com. 6000 IN A 121.100.153.153 d6991.com. 6000 IN A 121.100.153.154 d6991.com. 6000 IN A 121.100.153.155 d6991.com. 6000 IN A 121.100.153.156 d6991.com. 6000 IN A 121.100.153.157 d6991.com. 6000 IN A 121.100.153.158 d6991.com. 6000 IN A 121.100.153.159 d6991.com. 6000 IN A 121.100.153.160 d6991.com. 6000 IN A 121.100.153.161 d6991.com. 6000 IN A 121.100.153.162 d6991.com. 6000 IN A 121.100.153.163 d6991.com. 6000 IN A 121.100.153.164 d6991.com. 6000 IN A 121.100.153.165 d6991.com. 6000 IN A 121.100.153.166 d6991.com. 6000 IN A 121.100.153.167 d6991.com. 6000 IN A 121.100.153.168 d6991.com. 6000 IN A 121.100.153.169 d6991.com. 6000 IN A 121.100.153.170 d6991.com. 6000 IN A 121.100.153.171 d6991.com. 6000 IN A 121.100.153.172 d6991.com. 6000 IN A 121.100.153.173 d6991.com. 6000 IN A 121.100.153.174 d6991.com. 6000 IN A 121.100.153.175 d6991.com. 6000 IN A 121.100.153.176 d6991.com. 6000 IN A 121.100.153.177 d6991.com. 6000 IN A 121.100.153.178 d6991.com. 6000 IN A 121.100.153.179 d6991.com. 6000 IN A 121.100.153.180 d6991.com. 6000 IN A 121.100.153.181 d6991.com. 6000 IN A 121.100.153.182 d6991.com. 6000 IN A 121.100.153.183 d6991.com. 6000 IN A 121.100.153.184 d6991.com. 6000 IN A 121.100.153.185 d6991.com. 6000 IN A 121.100.153.186 d6991.com. 6000 IN A 121.100.153.187 d6991.com. 6000 IN A 121.100.153.188 d6991.com. 6000 IN A 121.100.153.189 d6991.com. 6000 IN A 121.100.153.190 d6991.com. 6000 IN A 121.100.153.191 d6991.com. 6000 IN A 121.100.153.192 d6991.com. 6000 IN A 121.100.153.193 d6991.com. 6000 IN A 121.100.153.194 d6991.com. 6000 IN A 121.100.153.195 d6991.com. 6000 IN A 121.100.153.196 d6991.com. 6000 IN A 121.100.153.197 d6991.com. 6000 IN A 121.100.153.198 d6991.com. 6000 IN A 121.100.153.199 d6991.com. 6000 IN A 121.100.153.200 d6991.com. 6000 IN A 121.100.152.100 d6991.com. 6000 IN A 121.100.152.101 d6991.com. 6000 IN A 121.100.152.102 d6991.com. 6000 IN A 121.100.152.103 d6991.com. 6000 IN A 121.100.152.104 d6991.com. 6000 IN A 121.100.152.105 d6991.com. 6000 IN A 121.100.152.106 d6991.com. 6000 IN A 121.100.152.107 d6991.com. 6000 IN A 121.100.152.108 d6991.com. 6000 IN A 121.100.152.109 d6991.com. 6000 IN A 121.100.152.110 d6991.com. 6000 IN A 121.100.152.111 d6991.com. 6000 IN A 121.100.152.112 d6991.com. 6000 IN A 121.100.152.113 d6991.com. 6000 IN A 121.100.152.114 d6991.com. 6000 IN A 121.100.152.115 d6991.com. 6000 IN A 121.100.152.116 d6991.com. 6000 IN A 121.100.152.117 d6991.com. 6000 IN A 121.100.152.118 d6991.com. 6000 IN A 121.100.152.119 d6991.com. 6000 IN A 121.100.152.120 d6991.com. 6000 IN A 121.100.152.121 d6991.com. 6000 IN A 121.100.152.122 d6991.com. 6000 IN A 121.100.152.123 d6991.com. 6000 IN A 121.100.152.124 d6991.com. 6000 IN A 121.100.152.125 d6991.com. 6000 IN A 121.100.152.126 d6991.com. 6000 IN A 121.100.152.127 d6991.com. 6000 IN A 121.100.152.128 d6991.com. 6000 IN A 121.100.152.129 d6991.com. 6000 IN A 121.100.152.130 d6991.com. 6000 IN A 121.100.152.131 d6991.com. 6000 IN A 121.100.152.132 d6991.com. 6000 IN A 121.100.152.133 d6991.com. 6000 IN A 121.100.152.134 d6991.com. 6000 IN A 121.100.152.135 d6991.com. 6000 IN A 121.100.152.136 d6991.com. 6000 IN A 121.100.152.137 d6991.com. 6000 IN A 121.100.152.138 d6991.com. 6000 IN A 121.100.152.139 d6991.com. 6000 IN A 121.100.152.140 d6991.com. 6000 IN A 121.100.152.141 d6991.com. 6000 IN A 121.100.152.142 d6991.com. 6000 IN A 121.100.152.143 d6991.com. 6000 IN A 121.100.152.144 d6991.com. 6000 IN A 121.100.152.145 d6991.com. 6000 IN A 121.100.152.146 d6991.com. 6000 IN A 121.100.152.147 d6991.com. 6000 IN A 121.100.152.148 d6991.com. 6000 IN A 121.100.152.149 d6991.com. 6000 IN A 121.100.152.150 d6991.com. 6000 IN A 121.100.152.151 d6991.com. 6000 IN A 121.100.152.152 d6991.com. 6000 IN A 121.100.152.153 d6991.com. 6000 IN A 121.100.152.154 d6991.com. 6000 IN A 121.100.152.155 d6991.com. 6000 IN A 121.100.152.156 d6991.com. 6000 IN A 121.100.152.157 d6991.com. 6000 IN A 121.100.152.158 d6991.com. 6000 IN A 121.100.152.159 d6991.com. 6000 IN A 121.100.152.160 d6991.com. 6000 IN A 121.100.152.161 d6991.com. 6000 IN A 121.100.152.162 d6991.com. 6000 IN A 121.100.152.163 d6991.com. 6000 IN A 121.100.152.164 d6991.com. 6000 IN A 121.100.152.165 d6991.com. 6000 IN A 121.100.152.166 d6991.com. 6000 IN A 121.100.152.167 d6991.com. 6000 IN A 121.100.152.168 d6991.com. 6000 IN A 121.100.152.169 d6991.com. 6000 IN A 121.100.152.170 d6991.com. 6000 IN A 121.100.152.171 d6991.com. 6000 IN A 121.100.152.172 d6991.com. 6000 IN A 121.100.152.173 d6991.com. 6000 IN A 121.100.152.174 d6991.com. 6000 IN A 121.100.152.175 d6991.com. 6000 IN A 121.100.152.176 d6991.com. 6000 IN A 121.100.152.177 d6991.com. 6000 IN A 121.100.152.178 d6991.com. 6000 IN A 121.100.152.179 d6991.com. 6000 IN A 121.100.152.180 d6991.com. 6000 IN A 121.100.152.181 d6991.com. 6000 IN A 121.100.152.182 d6991.com. 6000 IN A 121.100.152.183 d6991.com. 6000 IN A 121.100.152.184 d6991.com. 6000 IN A 121.100.152.185 d6991.com. 6000 IN A 121.100.152.186 d6991.com. 6000 IN A 121.100.152.187 d6991.com. 6000 IN A 121.100.152.188 d6991.com. 6000 IN A 121.100.152.189 d6991.com. 6000 IN A 121.100.152.190 d6991.com. 6000 IN A 121.100.152.191 d6991.com. 6000 IN A 121.100.152.192 d6991.com. 6000 IN A 121.100.152.193 d6991.com. 6000 IN A 121.100.152.194 d6991.com. 6000 IN A 121.100.152.195 d6991.com. 6000 IN A 121.100.152.196 d6991.com. 6000 IN A 121.100.152.197 d6991.com. 6000 IN A 121.100.152.198 d6991.com. 6000 IN A 121.100.152.199 d6991.com. 6000 IN A 121.100.152.200 d6991.com. 6000 IN A 121.100.152.201 d6991.com. 6000 IN A 121.100.152.202 d6991.com. 6000 IN A 121.100.152.203 d6991.com. 6000 IN A 121.100.152.204 d6991.com. 6000 IN A 121.100.152.205 d6991.com. 6000 IN A 121.100.152.206 d6991.com. 6000 IN A 121.100.152.207 d6991.com. 6000 IN A 121.100.152.208 d6991.com. 6000 IN A 121.100.152.209 d6991.com. 6000 IN A 121.100.152.210 d6991.com. 6000 IN A 121.100.152.211 d6991.com. 6000 IN A 121.100.152.212 d6991.com. 6000 IN A 121.100.152.213 d6991.com. 6000 IN A 121.100.152.214 d6991.com. 6000 IN A 121.100.152.215 d6991.com. 6000 IN A 121.100.152.216 d6991.com. 6000 IN A 121.100.152.217 d6991.com. 6000 IN A 121.100.152.218 d6991.com. 6000 IN A 121.100.152.219 d6991.com. 6000 IN A 121.100.152.220 d6991.com. 6000 IN A 121.100.152.221 d6991.com. 6000 IN A 121.100.152.222 d6991.com. 6000 IN A 121.100.152.223 d6991.com. 6000 IN A 121.100.152.224 d6991.com. 6000 IN A 121.100.152.225 d6991.com. 6000 IN A 121.100.152.226 d6991.com. 6000 IN A 121.100.152.227 d6991.com. 6000 IN A 121.100.152.228 d6991.com. 6000 IN A 121.100.152.229 d6991.com. 6000 IN A 121.100.152.230 d6991.com. 6000 IN A 121.100.152.231 d6991.com. 6000 IN A 121.100.152.232 d6991.com. 6000 IN A 121.100.152.233 d6991.com. 6000 IN A 121.100.152.234 d6991.com. 6000 IN A 121.100.152.235 d6991.com. 6000 IN A 121.100.152.236 d6991.com. 6000 IN A 121.100.152.237 d6991.com. 6000 IN A 121.100.152.238 d6991.com. 6000 IN A 121.100.152.239 d6991.com. 6000 IN A 121.100.152.240 d6991.com. 6000 IN A 121.100.152.241 d6991.com. 6000 IN A 121.100.152.242 d6991.com. 6000 IN A 121.100.152.243 d6991.com. 6000 IN A 121.100.152.244 d6991.com. 6000 IN A 121.100.152.245 d6991.com. 6000 IN A 121.100.152.246 d6991.com. 6000 IN A 121.100.152.247 d6991.com. 6000 IN A 121.100.152.248 d6991.com. 6000 IN A 121.100.152.249 d6991.com. 6000 IN A 121.100.152.250 d6991.com. 6000 IN A 121.100.152.251 d6991.com. 6000 IN A 121.100.152.252 d6991.com. 6000 IN A 121.100.152.253 d6991.com. 6000 IN A 121.100.152.254
;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Sep 23 19:06:40 2013 ;; MSG SIZE rcvd: 4123
% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '121.100.128.0 - 121.100.191.255'
inetnum: 121.100.128.0 - 121.100.191.255 netname: YanYang-network descr: Beijing Yan Yang Century Science & Technology Co., LTD descr: 9-605 Xuhuiaodu, Lishuiqiao south, Chaoyang District, Beijing country: CN admin-c: ZM675-AP tech-c: ZM676-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN status: ALLOCATED PORTABLE changed: ipas@cnnic.net 20110610 source: APNIC
irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.cn 20110428 source: APNIC
person: Yanqing Xiao address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18600090096 fax-no: +86-010- 59456518 e-mail: xiaoyanqingvp@126.com nic-hdl: ZM675-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC
person: Jian Zhou address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District address: Beijing, China, 100012 country: CN phone: +86-18611086106 fax-no: +86-010- 59456518 e-mail: sxbjzj@163.com nic-hdl: ZM676-AP mnt-by: MAINT-CNNIC-AP changed: ipas@cnnic.net 20110609 source: APNIC
% Information related to '121.100.128.0/19AS4837'
route: 121.100.128.0/19 descr: CNC Group CHINA169 Shan1xi Province Network descr: Addresses from CNNIC country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060926 source: APNIC
% This query was served by the APNIC Whois Service version 1.68 (WHOIS3)
- ferg
Could be DNS packet tunneling to China, bad news. https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34... -----Original Message----- From: Christopher Hunt [mailto:dharmachris@gmail.com] Sent: Monday, September 23, 2013 11:55 AM To: nanog@nanog.org Subject: d6991.com traffic Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)? -chris --- Please refer to http://www.amherst.com/amherst-email-disclaimer/ for important disclosures regarding this electronic communication.
It's DNS reflection attack noise: http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html This is a good blog for observing the domains and frequent correlation of items in whois and other traits that indicate much of this is done by the same actors. On 09/23/2013 12:55 PM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
-chris
On 9/23/2013 5:01 PM, fire-eyes wrote:
It's DNS reflection attack noise:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
This is a good blog for observing the domains and frequent correlation of items in whois and other traits that indicate much of this is done by the same actors.
Thanks for the pointer. :-) - ferg
On 09/23/2013 12:55 PM, Christopher Hunt wrote:
Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)?
-chris
-- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate" --> www.internetidentity.com
participants (9)
-
Alain Hebert -
Chris Adams -
Chris Hunt -
Christopher Hunt
-
Dobbins, Roland -
fire-eyes -
Jared Mauch -
Meshier, Brent -
Paul Ferguson