Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Strange DNS Queries - Request for Packets - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange DNS Queries - Request for Packets

We have received a pcap sample of DNS queries that display a strange behavior. The queries are type ANY for domains and When doing a nslookup, both domains have 100 IPs listed under their domain names with each of them resolving exactly the same last octets (i.e. .1, .10, .100, etc). Queries with the same transaction ID are often repeated several times. The traffic samples we have received indicate the queries are sent by either a host or a server.

If anyone else is seeing queries for either of these domains or queries with a similar behavior and can share some pcap or logs, you can submit them via our contact page.

Wireshark example of a query:



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


417 Posts
ISC Handler
Why is this strange? Looks like a garden-variety DNS amplification attack.
See here for more information:
[Duplicate post]
Rather than attackers using legitimate DNS records for amplification attacks, they are now registering their own domains that will generate large responses. I guess the ANY record for and "." are too popular anymore.

3 Posts Posts
you can search any query error finding site through a good search..please make the proper change after that.

Sign Up for Free or Log In to start participating in the conversation!