nanog mailing list archives
RE: random dns queries with random sources
From: "Beeman, Davis" <Davis.Beeman () integratelecom com>
Date: Wed, 19 Feb 2014 17:08:03 +0000
They are, and dropping them just as fast. It seems like the last a day or two, and then move on to another domain name. They are similar enough that the bots probably work off a formula to determine valid requests. It may be a coincidence, if you believe in those, but this type of C&C traffic started ramping up wildly about a month after the ZeroAccess servers got blocked... Davis Beeman | Network Security Engineer | 360.816.3052 Integra -----Original Message----- From: Joe Maimon [mailto:jmaimon () ttec com] Sent: Wednesday, February 19, 2014 08:59 To: Beeman, Davis; North American Networking and Offtopic Gripes List Subject: Re: random dns queries with random sources Beeman, Davis wrote:
rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer
Somebody must be registering these domain names. And I should be able to compile a list of the auth servers in question. Joe
Current thread:
- Re: random dns queries with random sources, (continued)
- Re: random dns queries with random sources Joe Maimon (Feb 18)
- Re: random dns queries with random sources Owen DeLong (Feb 18)
- Re: random dns queries with random sources Joe Maimon (Feb 18)
- Re: random dns queries with random sources sthaug (Feb 19)
- Re: random dns queries with random sources Joe Maimon (Feb 18)
- Re: random dns queries with random sources Dobbins, Roland (Feb 19)
- Re: random dns queries with random sources Simon Perreault (Feb 19)
- Re: random dns queries with random sources Tempest (Feb 19)
- RE: random dns queries with random sources Beeman, Davis (Feb 19)
- Re: random dns queries with random sources Pavel Zeleny (Feb 20)
- Re: random dns queries with random sources Steve Clark (Feb 20)