Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Strange DNS Queries - Request for Packets - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange DNS Queries - Request for Packets

We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains ghmn.ru and fkfkfkfa.com. When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server.

If anyone else is seeing queries for either of these domains or queries with a similar behavior and can share some pcap or logs, you can submit them via our contact page.

Wireshark example of a query:


[1] https://www.robtex.com/dns/ghmn.ru.html#shared
[2] https://www.robtex.com/dns/fkfkfkfa.com.html#shared

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

414 Posts
ISC Handler
Why is this strange? Looks like a garden-variety DNS amplification attack.
Anonymous
Posts
See here for more information: http://dnsamplificationattacks.blogspot.nl
Anonymous
Posts
[Duplicate post]
Anonymous
Posts
Rather than attackers using legitimate DNS records for amplification attacks, they are now registering their own domains that will generate large responses. I guess the ANY record for isc.org and "." are too popular anymore.
emueller

3 Posts Posts
you can search any query error finding site through a good search..please make the proper change after that.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!