nanog mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: Graeme Fowler <graeme () graemef net>
Date: Wed, 28 Jan 2009 14:32:11 +0000
Hi On Wed, 2009-01-28 at 13:16 +0100, fredrik danerklint wrote:
At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98. At 12:09:36 another new address 64.57.246.123 At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like: "pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it was back to just ask for the .NS records again.
Same here - times different, though, in that it appeared at 1120 UTC and disappeared at 1159 UTC. There were 194 entries. Every query was the same format - a 32-byte lower case alphanumeric string, differing at the following positions marked with a period: ......aaaafw.0000d.aaabaaa...... I expect that others will have seen similar patterns with differing fixed strings. I'm also starting to wonder if this is something to with the downadup/conficker worm, or another botnet. Graeme
Current thread:
- Re: Tightened DNS security question re: DNS amplification attacks., (continued)
- Re: Tightened DNS security question re: DNS amplification attacks. Douglas C. Stephens (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. John Martinez (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. jay (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Steve Pirk (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Mark Andrews (Jan 27)
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)
- Message not available
- RE: Tightened DNS security question re: DNS amplification attacks. [SEC=UNCLASSIFIED] David Zielezna (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. fredrik danerklint (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Charles Morris (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Graeme Fowler (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Paul Vixie (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. David Andersen (Jan 27)
- Re: Tightened DNS security question re: DNS amplification attacks. Chris Adams (Jan 27)
- RE: Tightened DNS security question re: DNS amplification attacks. Frank Bulk (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Paul Vixie (Jan 28)
- Re: Tightened DNS security question re: DNS amplification attacks. Jack Bates (Jan 28)
- cogent issues? John Martinez (Jan 28)
- Re: cogent issues? Brandon Galbraith (Jan 28)
- Re: cogent issues? Ray Sanders (Jan 28)
- Re: cogent issues? Wil Schultz (Jan 28)