nanog mailing list archives
RE: DNS deluge for x.p.ctrc.cc
From: "Estes, Paul" <pestes () Covad COM>
Date: Fri, 24 Feb 2006 10:14:51 -0800
Actually, what we are seeing does not appear to be an amplification attack. It appears to be a request flood from infected machines. We have anti-spoofing filters on our upstream connections as well as our subscriber's access lines. The source addresses are not spoofed. They are valid subscriber source IP's. Based on some cached entries I have found in other nameservers, CTRC.CC was apparently hacked and was delegating a number of subdomains to another nameserver that was issuing the 4K TXT record. The delegation has now been removed, and the nameserver they were delegated to appears to be offline. --Paul -----Original Message----- From: william(at)elan.net [mailto:william () elan net] Sent: Friday, February 24, 2006 9:47 AM To: Estes, Paul Cc: nanog () merit edu Subject: Re: DNS deluge for x.p.ctrc.cc On Fri, 24 Feb 2006, Estes, Paul wrote:
We have recently noticed a deluge of DNS requests for "ANY ANY"
records They are trying to abuse similar holes that caused most of us add "no ip redirects" and "no ip directed broadcast" to routers, but this time its about dns
of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers.
Why am I not surprised ....
There are currently no records for x.p.ctrc.cc, or even for p.ctrc.cc.
http://www.completewhois.com/cgi-bin/whois.cgi?query=28242102&options=re trieve I don't think this is a hacker-setup domain, probably their dns servers were at some point hacked. They are associated with legacy ip block 192.238.16.0/21. It is also notable that CTRC.CC A record points to 192.168.202.72
A google search for x.p.ctrc.cc comes up with only 2 hits. One is a DNS log showing references to this name. The other one shows that somebody else is seeing the same
behavior
as we are: http://weblog.barnet.com.au/edwin/cat_networking.html However, this site has the benefit or providing a history that
p.ctrc.cc
had (a week ago) delegated NS record pointing to 321blowjob.com. At
that
time, 321blowjob.com's nameserver was responding with a TXT record for x.p.ctrc.cc.
It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing
so
at a horrific rate. I have some addresses that have made >250000 requests for this name in a short period of time. I was thinking that I could simply put an authoritative zone for p.ctrc.cc in our nameservers and return something for the lookups
You might want to consider returning the same thing in lookups as ctrc.cc themselves have for direct A lookups... , [snip]
Current thread:
- DNS deluge for x.p.ctrc.cc Estes, Paul (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc william(at)elan.net (Feb 24)
- RE: DNS deluge for x.p.ctrc.cc Ejay Hire (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc brett watson (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Gadi Evron (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc brett watson (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc brett watson (Feb 24)
- <Possible follow-ups>
- RE: DNS deluge for x.p.ctrc.cc Estes, Paul (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Gadi Evron (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Rob Thomas (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Stephen Stuart (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Chris Adams (Feb 24)
- Re: DNS deluge for x.p.ctrc.cc Jon Lewis (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc bmanning (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Nicholas Suan (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Rob Thomas (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Randy Bush (Feb 25)
- Re: DNS deluge for x.p.ctrc.cc Paul Vixie (Feb 26)