Friday, October 17, 2014

Domain: oggr.ru

Domain: oggr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x044f4747 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFFFFFF00=0x0000FF00" -j DROP -m comment --comment "DROP DNS Q oggr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6767720272750000ff|' -j DROP -m comment --comment "DROP DNS Q oggr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
oggr.ru. 21599 IN NS ns2.reg.ru.
oggr.ru. 21599 IN NS ns1.reg.ru.


Response:


A 245
NS 2
SOA 1
Rsize 4016


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: OGGR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.04.14
paid-till: 2015.04.14
free-date: 2015.05.15
source: TCI

Last updated on 2014.10.17 22:51:33 MSK




Domain: nlhosting.nl

Domain: nlhosting.nl

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x094e4c48 && 0x2c&0xDFDFDFDF=0x4f535449 && 0x30&0xDFDFFFDF=0x4e47024e && 0x34&0xDFFFFFFF=0x4c0000FF" -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|096e6c686f7374696e67026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q nlhosting.nl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
nlhosting.nl. 10799 IN NS ns.nlhosting.net.
nlhosting.nl. 10799 IN NS ns1.nlhosting.net.


Response:


A 14
DNSKEY 4
MX 4
NS 9
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
TYPE65534 3
Rsize 3635


Whois


Domain name: nlhosting.nl
Status: active

Registrar:
NL Hosting Internet Solutions bv
Kerkstraat 1
6669DA DODEWAARD
Netherlands

DNSSEC: yes

Domain nameservers:
ns.nlhosting.net
ns1.nlhosting.net

Record maintained by: NL Domain Registry

Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).



Thursday, October 16, 2014

Domain: doleta.gov

Domain: doleta.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x06444f4c && 0x2c&0xDFDFDFFF=0x45544103 && 0x30&0xDFDFDFFF=0x474f5600 && 0x34&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS Q doleta.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|06646f6c65746103676f760000ff|' -j DROP -m comment --comment "DROP DNS Q doleta.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
doleta.gov. 899 IN NS ns06.dol.gov.
doleta.gov. 899 IN NS ns4.dol.gov.
doleta.gov. 899 IN NS ns2.dol.gov.
doleta.gov. 899 IN NS ns1.dol.gov.
doleta.gov. 899 IN NS ns05.dol.gov.
doleta.gov. 899 IN NS dino.doleta.gov.


Response:


A 15
AAAA 2
DNSKEY 4
MX 7
NS 14
NSEC3PARAM 2
RRSIG 9
SOA 2
TXT 2
Rsize 3691






Domain: bmw.digmehl.cu.cc

Domain: bmw.digmehl.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03424d57 && 0x2c&0xFFDFDFDF=0x07444947 && 0x30&0xDFDFDFDF=0x4d45484c && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03626d77076469676d65686c02637502636300|' -j DROP -m comment --comment "DROP DNS Q bmw.digmehl.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
digmehl.cu.cc. 21599 IN NS ken.ns.cloudflare.com.
digmehl.cu.cc. 21599 IN NS chan.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095






Monday, October 13, 2014

Domain: guessinfosys.com

Domain: guessinfosys.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0c475545 && 0x2c&0xDFDFDFDF=0x5353494e && 0x30&0xDFDFDFDF=0x464f5359 && 0x34&0xDFFFDFDF=0x5303434f && 0x38&0xDFFFFFFF=0x4d0000FF" -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 60 --algo bm --hex-string '|0C6775657373696e666f73797303636f6d0000ff|' -j DROP -m comment --comment "DROP DNS Q guessinfosys.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
guessinfosys.com. 1461 IN NS ns72.domaincontrol.com.
guessinfosys.com. 1461 IN NS ns71.domaincontrol.com.


Response:


A 6
MX 2
NS 2
SOA 1
TXT 7
Rsize 3195


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: GUESSINFOSYS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-sep-2014
Creation Date: 12-sep-2014
Expiration Date: 12-sep-2015

>>> Last update of whois database: Mon, 13 Oct 2014 23:04:03 GMT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: GUESSINFOSYS.COM
Registry Domain ID: 1875368893_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-09-11 23:02:31
Creation Date: 2014-09-11 22:52:05
Registrar Registration Expiration Date: 2015-09-11 22:52:05
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: paopao sun
Registrant Organization:
Registrant Street: NO.4-2-401,FengNianCun,DongLi Dist.
Registrant City: Tianjin
Registrant State/Province: tianjin
Registrant Postal Code: 300010
Registrant Country: China
Registrant Phone: +86.13920258784
Registrant Phone Ext:
Registrant Fax: +86.13920258784
Registrant Fax Ext:
Registrant Email: quinnxaa@hotmail.com
Registry Admin ID:
Admin Name: paopao sun
Admin Organization:
Admin Street: NO.4-2-401,FengNianCun,DongLi Dist.
Admin City: Tianjin
Admin State/Province: tianjin
Admin Postal Code: 300010
Admin Country: China
Admin Phone: +86.13920258784
Admin Phone Ext:
Admin Fax: +86.13920258784
Admin Fax Ext:
Admin Email: quinnxaa@hotmail.com
Registry Tech ID:
Tech Name: paopao sun
Tech Organization:
Tech Street: NO.4-2-401,FengNianCun,DongLi Dist.
Tech City: Tianjin
Tech State/Province: tianjin
Tech Postal Code: 300010
Tech Country: China
Tech Phone: +86.13920258784
Tech Phone Ext:
Tech Fax: +86.13920258784
Tech Fax Ext:
Tech Email: quinnxaa@hotmail.com
Name Server: NS71.DOMAINCONTROL.COM
Name Server: NS72.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-10-13T23:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.



Domain: energystar.gov

Domain: energystar.gov

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a454e45 && 0x2c&0xDFDFDFDF=0x52475953 && 0x30&0xDFDFDFFF=0x54415203 && 0x34&0xDFDFDFFF=0x474f5600 && 0x38&0xFFFF0000=0x00FF0000" -j DROP -m comment --comment "DROP DNS ANY  Q energystar.gov"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0A656e657267797374617203676f760000ff|' -j DROP -m comment --comment "DROP DNS ANY Q energystar.gov"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
energystar.gov. 21599 IN NS ns01-100.energystar.gov.
energystar.gov. 21599 IN NS ns02-100.energystar.gov.


Response:


A 21
AAAA 3
DNSKEY 11
MX 6
NS 16
NSEC 2
RRSIG 10
SOA 3
TXT 3
Rsize 5423


Whois


% DOTGOV WHOIS Server ready
Domain Name: ENERGYSTAR.GOV
Status: ACTIVE


>>> Last update of whois database: 2014-10-13T23:01:26Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.



Domain: etk.heckbro.cu.cc

Domain: etk.heckbro.cu.cc

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0345544b && 0x2c&0xFFDFDFDF=0x07484543 && 0x30&0xDFDFDFDF=0x4b42524f && 0x34&0xFFDFDFFF=0x02435502 && 0x38&0xDFDFFF00=0x43430000" -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|0365746b076865636b62726f02637502636300|' -j DROP -m comment --comment "DROP DNS Q etk.heckbro.cu.cc"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
heckbro.cu.cc. 21536 IN NS coby.ns.cloudflare.com.
heckbro.cu.cc. 21536 IN NS alla.ns.cloudflare.com.


Response:


TXT 1
Rsize 4095





Wednesday, July 23, 2014

Domain: wradish.com

Domain: wradish.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07575241 && 0x2c&0xDFDFDFDF=0x44495348 && 0x30&0xFFDFDFDF=0x03434f4d && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q wradish.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|077772616469736803636f6d00|' -j DROP -m comment --comment "DROP DNS Q wradish.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


178.32.56.245

Name server:


;; ANSWER SECTION:
wradish.com. 2036 IN NS ns20.domaincontrol.com.
wradish.com. 2036 IN NS ns19.domaincontrol.com.


Response:


A 2
MX 2
NS 2
SOA 1
TXT 5
Rsize 3798


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WRADISH.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-apr-2014
Creation Date: 21-apr-2014
Expiration Date: 21-apr-2015

>>> Last update of whois database: Wed, 23 Jul 2014 21:19:40 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.



Domain: webpanel.sk

Domain: webpanel.sk

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08574542 && 0x2c&0xDFDFDFDF=0x50414e45 && 0x30&0xDFFFDFDF=0x4c02534b && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q webpanel.sk"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|0877656270616e656c02736b00|' -j DROP -m comment --comment "DROP DNS Q webpanel.sk"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


69.160.47.159

Name server:


;; ANSWER SECTION:
webpanel.sk. 21599 IN NS ns1.dnsbackup.net.
webpanel.sk. 21599 IN NS ns2.dnsbackup.net.
webpanel.sk. 21599 IN NS ns1.nameserver.sk.
webpanel.sk. 21599 IN NS ns2.nameserver.sk.


Response:


A 14
DNSKEY 6
MX 10
NS 12
NSEC 2
RRSIG 9
SOA 3
TXT 4
Rsize 6543


Whois


%
% whois.sk-nic.sk - whois server for TLD .sk
%


Domain-name webpanel.sk
Admin-id YEGO-0001
Admin-name Yegon s.r.o.
Admin-legal-form s.r.o
Admin-org.-ID 35797924
Admin-address Stara Prievozska 2, Bratislava 821 09
Admin-telephone +421-2-20633171
Admin-email registrator@yegon.sk
Tech-id YEGO-0001
Tech-name Yegon s.r.o.
Tech-org.-ID 35797924
Tech-address Stara Prievozska 2, Bratislava 821 09
Tech-telephone +421-2-20633171
Tech-email registrator@yegon.sk
dns_name ns1.nameserver.sk
dns_name ns2.nameserver.sk
dns_name ns1.dnsbackup.net
dns_name ns2.dnsbackup.net
Last-update 2013-12-12
Valid-date 2015-01-09
Domain-status DOM_OK





Saturday, June 28, 2014

Domain: lalka.com.ru

Domain: lalka.com.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x054c414c && 0x2c&0xDFDFFFDF=0x4b410343 && 0x30&0xDFDFFFDF=0x4f4d0252 && 0x34&0xDFFF0000=0x55000000" -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|056c616c6b6103636f6d02727500|' -j DROP -m comment --comment "DROP DNS Q lalka.com.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.79.10.76

Response:


;; ANSWER SECTION:
lalka.com.ru. 600 IN SOA ns1.spaceweb.ru. dns1.sweb.ru. 2014052970 28800 7200 604800 600
lalka.com.ru. 600 IN NS ns2.spaceweb.ru.
lalka.com.ru. 600 IN NS ns1.spaceweb.ru.
lalka.com.ru. 600 IN A 77.222.56.62
lalka.com.ru. 600 IN MX 10 mx.asdgggggasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaiouuytsdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdhjhjhjasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasghghghdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdafgffsdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdfgfgfgasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd1.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd2.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd3.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd4.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd5.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd7.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdaghghghghsdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd10.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd11.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffagfhgfhfghsdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdashghgdfgdgdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd564.com.
lalka.com.ru. 600 IN MX 10 mx.asghgghghghghsdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasdjkj.com.
lalka.com.ru. 600 IN MX 20 mx2.spaceweb.ru.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdaesdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasfdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdasdasdsadasdasdasdasdasdasdasddasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdffasdasdasdsadasdasdasdasdasdasdasdassdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdaccsdasdffasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdashhhhdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasjjjjdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdjjjjasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN MX 10 mx.asdasdgfffgasdasdasdsadasdasdasdasdasdasdasdasdasdasdasd.com.
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15ER"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Gp"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15II"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15OO"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15SA"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15WW"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15YY"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdas"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15A"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15Q"
lalka.com.ru. 600 IN TXT "asdasdasdasdasdasdasdasdasfasgvasvascascasxcascascascsdvgsdvscvsxvsdvsdvsdbvsdsdvsddvsdfsdfasdasdsadasdasdasdasdasdasfwfrwef15S"

A 4
MX 32
NS 2
SOA 1
TXT 12
Rsize 4155









Domain: bangtest.zong.co.ua

Domain: bangtest.zong.co.ua

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0842414e && 0x2c&0xDFDFDFDF=0x47544553 && 0x30&0xDFFFDFDF=0x54045a4f && 0x34&0xDFDFFFDF=0x4e470243 && 0x38&0xDFFFDFDF=0x4f025541 && 0x3c&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q bangtest.zong.co.ua"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 61 --algo bm --hex-string '|0862616e6774657374047a6f6e6702636f02756100|' -j DROP -m comment --comment "DROP DNS Q bangtest.zong.co.ua"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


204.124.183.210

Name server:


;; ANSWER SECTION:
zong.co.ua. 21599 IN NS ns1.reg.ru.
zong.co.ua. 21599 IN NS ns2.reg.ru.

Whois



Domain ID:589099_COUA-DRS
Domain Name:ZONG.CO.UA
Created On:07-Jan-2014 14:31:16 UTC
Last Updated On:04-Jun-2014 17:07:50 UTC
Expiration Date:07-Jan-2015 14:31:16 UTC
Sponsoring Registrar:Reg RU (reg-ru-mnt-cunic)
Status:ok
Registrant ID:O8402055-CUNIC
Registrant Name:
Registrant Organization:Private Person
Registrant Street1:
Registrant Street2:
Registrant Street3:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:+61.420500569
Registrant Fax:
Registrant Email:manlazy@hotmail.co.uk
Admin ID:A8402055-CUNIC
Admin Name:
Admin Organization:Private Person
Admin Street1:
Admin Street2:
Admin Street3:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:+61.420500569
Admin Fax:
Admin Email:manlazy@hotmail.co.uk
Billing ID:B8402055-CUNIC
Billing Name:
Billing Organization:Private Person
Billing Street1:
Billing Street2:
Billing Street3:
Billing City:
Billing State/Province:
Billing Postal Code:
Billing Country:
Billing Phone:+61.420500569
Billing Fax:
Billing Email:manlazy@hotmail.co.uk
Tech ID:T8402055-CUNIC
Tech Name:
Tech Organization:Private Person
Tech Street1:
Tech Street2:
Tech Street3:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country:
Tech Phone:+61.420500569
Tech Fax:
Tech Email:manlazy@hotmail.co.uk
Name Server:NS2.REG.RU
Name Server:NS1.REG.RU





Wednesday, May 14, 2014

Domain: –magas.bslrpg.com

Domain: –magas.bslrpg.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFFFFFDF=0x07c2964d && 0x2c&0xDFDFDFDF=0x41474153 && 0x30&0xFFDFDFDF=0x0642534c && 0x34&0xDFDFDFFF=0x52504703 && 0x38&0xDFDFDFFF=0x434f4d00" -j DROP -m comment --comment "DROP DNS Q –magas.bslrpg.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 60 --algo bm --hex-string '|07c2966d616761730662736c72706703636f6d00|' -j DROP -m comment --comment "DROP DNS Q –magas.bslrpg.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
bslrpg.com. 21599 IN NS nameserver7.carbonhost.com.br.
bslrpg.com. 21599 IN NS nameserver8.carbonhost.com.br.
bslrpg.com. 21599 IN NS ns9.carbonhost.com.br.
bslrpg.com. 21599 IN NS ns10.carbonhost.com.br.


Response:


A 510
Rsize 8300


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BSLRPG.COM
Registrar: OVH
Whois Server: whois.ovh.com
Referral URL: http://www.ovh.com
Name Server: NAMESERVER7.CARBONHOST.COM.BR
Name Server: NAMESERVER8.CARBONHOST.COM.BR
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 14-oct-2013
Creation Date: 26-oct-2011
Expiration Date: 26-oct-2015


Domain name: bslrpg.com

Registrant:
CarbonHost Networks
Junior Eduardo
Av Escola Politecnica
São paulo, 05350000
BR
+55.1199861108
dudaefj@gmail.com

Administrative Contact:
CarbonHost Networks
Junior Eduardo
Av Escola Politecnica
São paulo, 05350000
BR
+55.1199861108
dudaefj@gmail.com

Technical Contact:
CarbonHost Networks
Junior Eduardo
Av Escola Politecnica
São paulo, 05350000
BR
+55.1199861108
dudaefj@gmail.com

Billing Contact:
CarbonHost Networks
Junior Eduardo
Av Escola Politecnica
São paulo, 05350000
BR
+55.1199861108
dudaefj@gmail.com

Registrar of Record: OVH.
Record last updated on 2013-10-11.
Record expires on 2013-10-26.
Record created on 2012-09-11.






Sunday, April 27, 2014

Domain: wradish.com

Domain: wradish.com


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.


If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07575241 && 0x2c&0xDFDFDFDF=0x44495348 && 0x30&0xFFDFDFDF=0x03434f4d && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q wradish.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|077772616469736803636f6d00|' -j DROP -m comment --comment "DROP DNS Q wradish.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


42.99.130.141

Name server:


;; ANSWER SECTION:
wradish.com. 3599 IN NS ns20.domaincontrol.com.
wradish.com. 3599 IN NS ns19.domaincontrol.com.


Response:


A 2
MX 2
NS 2
SOA 1
Rsize 207


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WRADISH.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-apr-2014
Creation Date: 21-apr-2014
Expiration Date: 21-apr-2015

>>> Last update of whois database: Sun, 27 Apr 2014 15:03:33 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: WRADISH.COM
Registry Domain ID: 1855566194_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-04-21 09:40:43
Creation Date: 2014-04-21 09:37:53
Registrar Registration Expiration Date: 2015-04-21 09:37:53
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Robert M. Jackson
Registrant Organization:
Registrant Street: 2888 Bingamon Road
Registrant City: Willoughby
Registrant State/Province: Ohio
Registrant Postal Code: 44094
Registrant Country: United States
Registrant Phone: +1.4405713304
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wradish.com@gmail.com
Registry Admin ID:
Admin Name: Robert M. Jackson
Admin Organization:
Admin Street: 2888 Bingamon Road
Admin City: Willoughby
Admin State/Province: Ohio
Admin Postal Code: 44094
Admin Country: United States
Admin Phone: +1.4405713304
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: wradish.com@gmail.com
Registry Tech ID:
Tech Name: Robert M. Jackson
Tech Organization:
Tech Street: 2888 Bingamon Road
Tech City: Willoughby
Tech State/Province: Ohio
Tech Postal Code: 44094
Tech Country: United States
Tech Phone: +1.4405713304
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: wradish.com@gmail.com
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-04-27T15:00:00Z



Tuesday, April 22, 2014

Domain: iorr.ru

Domain: iorr.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04494f52 && 0x2c&0xDFFFDFDF=0x52025255 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q iorr.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|04696f727202727500|' -j DROP -m comment --comment "DROP DNS Q iorr.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


89.248.168.200

Name server:


;; ANSWER SECTION:
iorr.ru. 21599 IN NS ns2.reg.ru.
iorr.ru. 21599 IN NS ns1.reg.ru.


Response:


A 240
NS 2
SOA 1
Rsize 3936


Whois


% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: IORR.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2014.02.15
paid-till: 2015.02.15
free-date: 2015.03.18
source: TCI

Last updated on 2014.04.23 00:07:38 MSK




Saturday, April 5, 2014

Domain: ddosforums.pw

Domain: ddosforums.pw

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a44444f && 0x2c&0xDFDFDFDF=0x53464f52 && 0x30&0xDFDFDFFF=0x554d5302 && 0x34&0xDFDFFF00=0x50570000" -j DROP -m comment --comment "DROP DNS Q ddosforums.pw"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|0A64646f73666f72756d7302707700|' -j DROP -m comment --comment "DROP DNS Q ddosforums.pw"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


65.181.121.246

Name server:


;; ANSWER SECTION:
ddosforums.pw. 21599 IN NS dina.ns.cloudflare.com.
ddosforums.pw. 21599 IN NS ian.ns.cloudflare.com.


Response:


A 13
NS 6
SOA 2
TXT 12
Rsize 1136 3


Whois


Domain ID:CNIC-DO1547096
Domain Name:DDOSFORUMS.PW
Created On:2013-10-15T00:33:25.0Z
Last Updated On:2013-11-04T16:42:38.0Z
Expiration Date:2014-10-15T23:59:59.0Z
Status:clientTransferProhibited
Status:serverTransferProhibited
Registrant ID:TJKYRCLKH1NE0OMV
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard, Inc.
Registrant Street1:P.O. Box 0823-03411
Registrant City:Panama
Registrant State/Province:Panama
Registrant Postal Code:NA
Registrant Country:PA
Registrant Phone:+507.8365503
Registrant Fax:+51.17057182
Registrant Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Admin ID:EHUGZGUYQAJRHATN
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard, Inc.
Admin Street1:P.O. Box 0823-03411
Admin City:Panama
Admin State/Province:Panama
Admin Postal Code:NA
Admin Country:PA
Admin Phone:+507.8365503
Admin Fax:+51.17057182
Admin Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Tech ID:JDHLEKUW0DARK0EG
Tech Name:WhoisGuard Protected
Tech Organization:WhoisGuard, Inc.
Tech Street1:P.O. Box 0823-03411
Tech City:Panama
Tech State/Province:Panama
Tech Postal Code:NA
Tech Country:PA
Tech Phone:+507.8365503
Tech Fax:+51.17057182
Tech Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Billing ID:0QIKRMW5TJCY5QSZ
Billing Name:WhoisGuard Protected
Billing Organization:WhoisGuard, Inc.
Billing Street1:P.O. Box 0823-03411
Billing City:Panama
Billing State/Province:Panama
Billing Postal Code:NA
Billing Country:PA
Billing Phone:+507.8365503
Billing Fax:+51.17057182
Billing Email:56c84bcc218944548a75dcba78c7e01f.protect@whoisguard.com
Sponsoring Registrar ID:H1772673
Sponsoring Registrar IANA ID:1068
Sponsoring Registrar Organization:Namecheap
Sponsoring Registrar Street1:11400 W Olympic Blvd.
Sponsoring Registrar Street2:Suite 200
Sponsoring Registrar City:Los Angeles
Sponsoring Registrar State/Province:CA
Sponsoring Registrar Postal Code:90064
Sponsoring Registrar Country:US
Sponsoring Registrar Phone:+1.0123456789
Sponsoring Registrar Fax:+1.0123456789
Sponsoring Registrar Website:http://www.namecheap.com
Name Server:DINA.NS.CLOUDFLARE.COM
Name Server:IAN.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/




Friday, March 14, 2014

Domain: admin.blueorangecare.com

Domain: admin.blueorangecare.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0541444d && 0x2c&0xDFDFFFDF=0x494e0e42 && 0x30&0xDFDFDFDF=0x4c55454f && 0x34&0xDFDFDFDF=0x52414e47 && 0x38&0xDFDFDFDF=0x45434152 && 0x3c&0xDFFFDFDF=0x4503434f && 0x40&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q admin.blueorangecare.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 66 --algo bm --hex-string '|0561646d696e0E626c75656f72616e67656361726503636f6d00|' -j DROP -m comment --comment "DROP DNS Q admin.blueorangecare.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


74.125.128.101

Name server:


;; ANSWER SECTION:
blueorangecare.com. 21599 IN NS ns2.seekdotnet.com.
blueorangecare.com. 21599 IN NS ns1.seekdotnet.com.


Response:


TXT 10
Rsize 2670


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BLUEORANGECARE.COM
Registrar: DOMAIN.COM, LLC
Whois Server: whois.domain.com
Referral URL: http://www.domain.com
Name Server: NS1.SEEKDOTNET.COM
Name Server: NS2.SEEKDOTNET.COM
Status: ok
Updated Date: 27-feb-2014
Creation Date: 05-feb-2006
Expiration Date: 05-feb-2015

>>> Last update of whois database: Sat, 15 Mar 2014 02:13:50 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: BLUEORANGECARE.COM
Registry Domain ID: 335428018_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2014-02-27 04:39:15
Creation Date: 2006-02-05 12:10:35
Registrar Registration Expiration Date: 2015-02-05 12:10:35
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Dotster.com
Reseller: support@dotster-inc.com
Reseller: +1.8004015250
Domain Status: ok
Registry Registrant ID:
Registrant Name: unknown unknown
Registrant Organization: Mr. Bhail
Registrant Street: 81, Broad Walk
Registrant City: Heston
Registrant State/Province: Middlesex
Registrant Postal Code: TW5 9AA
Registrant Country: GB
Registrant Phone: 02085709000
Registrant Phone Ext:
Registrant Fax: 02085709000
Registrant Fax Ext:
Registrant Email: Jit@Bhail.com
Registry Admin ID:
Admin Name: unknown unknown
Admin Organization: Mr. Bhail
Admin Street: 81, Broad Walk
Admin City: Heston
Admin State/Province: Middlesex
Admin Postal Code: TW5 9AA
Admin Country: GB
Admin Phone: 02085709000
Admin Phone Ext:
Admin Fax: 02085709000
Admin Fax Ext:
Admin Email: Jit@Bhail.com
Registry Tech ID:
Tech Name: unknown unknown
Tech Organization: Mr. Bhail
Tech Street: 81, Broad Walk
Tech City: Heston
Tech State/Province: Middlesex
Tech Postal Code: TW5 9AA
Tech Country: GB
Tech Phone: 02085709000
Tech Phone Ext:
Tech Fax: 02085709000
Tech Fax Ext:
Tech Email: Jit@Bhail.com
Name Server: NS2.SEEKDOTNET.COM
Name Server: NS1.SEEKDOTNET.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-02-27 04:39:15 <<<

Registration Service Provider:
Dotster.com, support@dotster-inc.com
+1.8004015250
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.




Saturday, March 8, 2014

Domain: ahuyehue.info

Domain: ahuyehue.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08414855 && 0x2c&0xDFDFDFDF=0x59454855 && 0x30&0xDFFFDFDF=0x4504494e && 0x34&0xDFDFFF00=0x464f0000" -j DROP -m comment --comment "DROP DNS Q ahuyehue.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|08616875796568756504696e666f00|' -j DROP -m comment --comment "DROP DNS Q ahuyehue.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


No IP source for this domain

Name server:


;; ANSWER SECTION:
ahuyehue.info. 10799 IN NS a.dns.gandi.net.
ahuyehue.info. 10799 IN NS b.dns.gandi.net.
ahuyehue.info. 10799 IN NS c.dns.gandi.net.


Response:


A 491
MX 2
NS 3
SOA 1
Rsize 8025


Whois


Domain Name:AHUYEHUE.INFO
Domain ID: D51782614-LRMS
Creation Date: 2014-02-25T22:17:32Z
Updated Date: 2014-02-25T22:17:34Z
Registry Expiry Date: 2015-02-25T22:17:32Z
Sponsoring Registrar:Gandi SAS (R191-LRMS)
Sponsoring Registrar IANA ID: 81
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Domain Status: serverTransferProhibited
Registrant ID:MD8911-GANDI
Registrant Name:Maria Dietze
Registrant Organization:
Registrant Street: Whois Protege / Obfuscated whois
Registrant City:Paris
Registrant State/Province:
Registrant Postal Code:75013
Registrant Country:FR
Registrant Phone:+33.170377666
Registrant Phone Ext:
Registrant Fax: +33.143730576
Registrant Fax Ext:
Registrant Email:4b180cdd6569cf29910b55b359e2d81c-1863102@contact.gandi.net
Admin ID:MD8911-GANDI
Admin Name:Maria Dietze
Admin Organization:
Admin Street: Whois Protege / Obfuscated whois
Admin City:Paris
Admin State/Province:
Admin Postal Code:75013
Admin Country:FR
Admin Phone:+33.170377666
Admin Phone Ext:
Admin Fax: +33.143730576
Admin Fax Ext:
Admin Email:4b180cdd6569cf29910b55b359e2d81c-1863102@contact.gandi.net
Billing ID:MD8911-GANDI
Billing Name:Maria Dietze
Billing Organization:
Billing Street: Whois Protege / Obfuscated whois
Billing City:Paris
Billing State/Province:
Billing Postal Code:75013
Billing Country:FR
Billing Phone:+33.170377666
Billing Phone Ext:
Billing Fax: +33.143730576
Billing Fax Ext:
Billing Email:4b180cdd6569cf29910b55b359e2d81c-1863102@contact.gandi.net
Tech ID:MD8911-GANDI
Tech Name:Maria Dietze
Tech Organization:
Tech Street: Whois Protege / Obfuscated whois
Tech City:Paris
Tech State/Province:
Tech Postal Code:75013
Tech Country:FR
Tech Phone:+33.170377666
Tech Phone Ext:
Tech Fax: +33.143730576
Tech Fax Ext:
Tech Email:4b180cdd6569cf29910b55b359e2d81c-1863102@contact.gandi.net
Name Server:C.DNS.GANDI.NET
Name Server:B.DNS.GANDI.NET
Name Server:A.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Access to AFILIAS WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only, and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.





Saturday, March 1, 2014

Domain: www.jrdga.info

Domain: www.jrdga.info

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03575757 && 0x2c&0xFFDFDFDF=0x054a5244 && 0x30&0xDFDFFFDF=0x47410449 && 0x34&0xDFDFDFFF=0x4e464f00" -j DROP -m comment --comment "DROP DNS Q www.jrdga.info"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|03777777056a7264676104696e666f00|' -j DROP -m comment --comment "DROP DNS Q www.jrdga.info"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


122.136.196.116

Name server:


;; ANSWER SECTION:
jrdga.info. 7199 IN NS ns1.sdfre.info.
jrdga.info. 7199 IN NS ns2.sdfre.info.


Response:


A 255
Rsize 4112


Whois


Domain Name:JRDGA.INFO
Domain ID: D51677779-LRMS
Creation Date: 2014-02-14T04:15:26Z
Updated Date: 2014-02-14T05:01:21Z
Registry Expiry Date: 2015-02-14T04:15:26Z
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Sponsoring Registrar IANA ID: 146
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: serverTransferProhibited
Registrant ID:CR160847378
Registrant Name:li he
Registrant Organization:
Registrant Street: guangdongsheng
Registrant City:guangdongsheng
Registrant State/Province:guangdongsheng
Registrant Postal Code:562633
Registrant Country:CN
Registrant Phone:+86.861254655996
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:withyoos@163.com
Admin ID:CR160847380
Admin Name:li he
Admin Organization:
Admin Street: guangdongsheng
Admin City:guangdongsheng
Admin State/Province:guangdongsheng
Admin Postal Code:562633
Admin Country:CN
Admin Phone:+86.861254655996
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:withyoos@163.com
Billing ID:CR160847381
Billing Name:li he
Billing Organization:
Billing Street: guangdongsheng
Billing City:guangdongsheng
Billing State/Province:guangdongsheng
Billing Postal Code:562633
Billing Country:CN
Billing Phone:+86.861254655996
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email:withyoos@163.com
Tech ID:CR160847379
Tech Name:li he
Tech Organization:
Tech Street: guangdongsheng
Tech City:guangdongsheng
Tech State/Province:guangdongsheng
Tech Postal Code:562633
Tech Country:CN
Tech Phone:+86.861254655996
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:withyoos@163.com
Name Server:NS1.SDFRE.INFO
Name Server:NS2.SDFRE.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Access to AFILIAS WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Afilias registry database. The data in this record is provided by Afilias Limited for informational purposes only, and Afilias does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Afilias reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.





Tuesday, February 25, 2014

Authoritative Name Server attack

As of early February I have been observing new weird DNS requests that I think can only be labeled as an Resource Exhaustion Attack against Authoritative Name Servers. An attack strong enough to cripple DNS providers that are hosting thousands and thousands of domains....

Though I am hearing a lot of sounds about it being related to malware but evidence for that has yet to surface.

The first report I read about this was the following post on Spiceworks[1], where some people labeled this as an in -or out going DNS amplification attack. Since then I have heard from DNS admins from all over the world who where seeing similar traffic and rules they wrote to defend themselves against it.

I believe that this attack is also what was troubling some Linux PowerDNS[2] installs.


Amplification Attacks


When an attacker wants to take down a website or host it has different ways to do so. One of which is a Denial of Service (DOS) attack. One common form of attack is a DNS and since recently NTP Reflective Amplification Attacks. These attacks focus on flooding the internet pipe of the victim with useless traffic generated by open DNS/NTP servers on the web.

For these attacks to work an attacker needs -multiple- host with 1gbit uplinks and the ability to spoof source IPs on that AS and a list of good Open DNS/NTP servers.

A good open server is in this case a DNS or NTP server that is capable of sending a much larger response to a small request. For DNS one would search for DNS server supporting EDNS and for NTP servers that support the Monlist command.

The attack

The DNS based attack I have been observing does not require very high quality DNS servers, actually any open resolver will do.

The attackers simply floods the open resolver(s) with non-existent sub-domains for a domain. This will require the resolver to query the DNS hierarchic and contact the authoritative name server for the domain.  One can imagine the effects of hundreds, thousands or even millions of open resolvers contacting the same bunch of authoritative name servers with unique requests multiple times per second.

While writing this blog I observed lots of queries to *.www.0538hj.com. The name servers for this domains are:

;; QUESTION SECTION:
;0538hj.com.                    IN      NS

;; ANSWER SECTION:
0538hj.com.             60345   IN      NS      dns11.hichina.com.
0538hj.com.             60345   IN      NS      dns12.hichina.com.

;; ADDITIONAL SECTION:
dns12.hichina.com.      84272   IN      A       223.5.2.82
dns12.hichina.com.      84272   IN      A       121.196.255.82
dns12.hichina.com.      84272   IN      A       121.196.255.132
dns11.hichina.com.      84272   IN      A       223.5.2.131
dns11.hichina.com.      84272   IN      A       121.196.255.81
dns12.hichina.com.      84272   IN      A       42.96.255.82
dns11.hichina.com.      84272   IN      A       42.96.255.81
dns12.hichina.com.      84272   IN      A       42.96.255.132
dns11.hichina.com.      84272   IN      A       223.5.2.81
dns11.hichina.com.      84272   IN      A       42.96.255.131
dns11.hichina.com.      84272   IN      A       121.196.255.131
dns12.hichina.com.      84272   IN      A       223.5.2.132

While this attack was ongoing it was very difficult to get a response from one of these servers. Goes to show how effective the attack is.

dig a 0538hj.com @dns11.hichina.com
;; global options: +cmd
;; connection timed out; no servers could be reached

About 1 out of 8 queries seemed to get an answer.
The query rate was about 2 - 8 queries per second.

First!


My logs suggest I first started seeing these attacks on Febuary the 3th with domain: abpdesthvwxyz.gb41.com.
The following graph shows the amount of unique domain names this resolver has been seeing each day in February.


Normally this would only be about 10 a day as this server is not used in any legitimate way but participates only in DNS amp and receives some DNS scans. On days I have been seeing these attacks I have seen spikes as high as 16.000 unique domains.


Domains the method - Name Servers the targets


Over time I have seen a multitude of domains. Here are some of the bigger attacks I have seen. The count represent the amount of sub-domains I observed that day. As each sub domain is only requested once this is equal to the amount of IPs and requests.

Count     Date             Domain
 103294 2014-02-11 .jn176.com
  74525 2014-02-22 .sf123.com
  69164 2014-02-13 .iidns.com
  60176 2014-02-23 .sf123.com
  49855 2014-02-21 .sf123.com
  46308 2014-02-14 .567uu.com
  46023 2014-02-11 .hcq99.com
  41051 2014-02-22 .51pop.net
  31899 2014-02-12 .gx911.com
  30139 2014-02-11 .gx911.com
  29984 2014-02-12 .999qp.net
  28956 2014-02-19 .jd176.com
  27736 2014-02-18 .269sf.com
  27006 2014-02-10 .yinquanxuan.com
  25780 2014-02-14 .iidns.com
  25576 2014-02-15 .567uu.com
  25417 2014-02-05 .139hg.com
  22184 2014-02-23 .52ssff.com
  20424 2014-02-15 .liehoo.net
  19609 2014-02-11 .sf717.com
  19525 2014-02-18 .chinahjfu.com
  19452 2014-02-14 .369df.com
  18496 2014-02-05 .hqsy120.com
  18086 2014-02-18 .5kkx.com
  17932 2014-02-23 .51pop.net
  17257 2014-02-14 .love303.com
  16617 2014-02-15 .cxmyy.com
  16614 2014-02-15 .cc176.com
  16380 2014-02-11 .999qp.net
  16244 2014-02-15 .jdgaj.com
  15977 2014-02-19 .bdhope.com
  15316 2014-02-12 .hcq99.com
  14808 2014-02-19 .seluoluo3.com
  14675 2014-02-14 .422ko.com
  14086 2014-02-19 .250hj.com
  13900 2014-02-22 .5ipop.net
  13477 2014-02-14 .lcjba.com
  13415 2014-02-04 .wb123.com
  13315 2014-02-23 .luse7.com
  13079 2014-02-23 .luse8.com


Name servers:


The above domains use the following name servers and we can assume that during these attacks these name servers where very difficult to reach. 

      4 iidns.com.
      3 hichina.com.
      3 dnsabc-b.com.
      2 dnsabc-g.com.
      3 gfdns.net.
      1 zndns.com.
      1 51dns.com.
      1 360wzb.com.
      1.gfdns.net.
      1 51dns.com.
      1 domaincontrol.com.
      1 dnspod.com.

Most of these name servers belong to Chinese registrars. Some of these registrars are responsible for up to half a million domains.

Spoofed or not?


Each DNS query is received from a different IP-address. This suggest spoofing but not in the way it is used with reflective amplification attacks, to specify the target. Here it seems to be used to cloak the origin of these queries from the resolvers.

I keep track of a few values for each query that comes in. Among others its Time To Live (TTL), a value that is not often spoofed.

Count     TTL
   1074    234
   2226    235
  19106   236
  53624   237
  54193   238
 107010  239
 197934  240
 234902  241
 226965  242
 322752  243
 308978  244
 239031  245
 185288  246
 158441  247
  62255   248
  23045   249

16 different TTLs not bad. Suggests it is from all over the globe. Until I noticed the following request for a domain matching this regex:

[a-z]\.www.luse[0-9]\.com\.

Two queries occurred within the same hours but its TTL was off by a lot:

ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.luse0.com ; count=1 ; qtype=A ; ttl=234
ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.luse6.com ; count=1 ; qtype=A ; ttl=247

13 hops difference, that could be the difference between a request from Europe or the US a change like that doesn't add up. I call that evidence of spoofing.


Detection


For me it is pretty easy to detect these attacks now that I know what to look for. But I am fortunate enough to have very little legit traffic so this malicious traffic stands out nicely. When running a (very) large resolver for a network it will be more difficult to spot, let alone block.

Characteristics
So far I have only seen queries for:

- All queries are for A records
- No OPT resource record in query
- One label is randomized
-The random sub-domain contains only chars a-z
- Random sub-domain label length is between: 1 <> 16

Remedy 

Automatically flagging of these domains might result in false positive. So until a characteristic is found that can be used to isolate this traffic more specifically it will be mainly manual labor to maintain blacklists.

One way of dropping this traffic would be by using the IPtables strings module:

iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|056c7573653003636f6d00|' -j DROP -m comment --comment "DROP DNS Q luse0.com"


An employee of Secure64 pointed me to their blog about the subject:

https://blog.secure64.com/?p=377

References:

[1] - http://community.spiceworks.com/topic/441721-what-does-a-dns-amplification-ddos-attack-look-like
[2] - http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/

Monday, February 10, 2014

Domain: sheshows.com

Domain: sheshows.com

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x08534845 && 0x2c&0xDFDFDFDF=0x53484f57 && 0x30&0xDFFFDFDF=0x5303434f && 0x34&0xDFFF0000=0x4d000000" -j DROP -m comment --comment "DROP DNS Q sheshows.com"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|0873686573686f777303636f6d00|' -j DROP -m comment --comment "DROP DNS Q sheshows.com"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


40.187.114.250

Name server:


;; ANSWER SECTION:
sheshows.com. 598 IN NS safe.qycn.cn.
sheshows.com. 598 IN NS safe.qycn.com.
sheshows.com. 598 IN NS safe.qycn.org.
sheshows.com. 598 IN NS safe.qycn.net.


Response:


A 1
Rsize 46


Whois



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHESHOWS.COM
Registrar: THREADTRADE.COM, INC
Whois Server: whois.yourjungle.com
Referral URL: http://secure.bellnames.com
Name Server: SAFE.QYCN.CN
Name Server: SAFE.QYCN.COM
Status: ok
Updated Date: 10-feb-2014
Creation Date: 29-dec-2013
Expiration Date: 29-dec-2014

>>> Last update of whois database: Tue, 11 Feb 2014 00:12:17 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.


The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: SHESHOWS.COM

Registrant:
registrant_org:
registrant_name: lirong shi
registrant_email: gl@beianX.com
registrant_address: beijing
registrant_city: beijing
registrant_state: beijing
registrant_zip: 100100
registrant_country: CN
registrant_phone:

Administrative Contact:
admin_org:
admin_name: lirong shi
admin_email: gl@beianX.com
admin_address: beijing
admin_city: beijing
admin_state: beijing
admin_zip: 100100
admin_country: CN
admin_phone:

Technical Contact:
tech_org:
tech_name: lirong shi
tech_email: gl@beianX.com
tech_address: beijing
tech_city: beijing
tech_state: beijing
tech_zip: 100100
tech_country: CN
tech_phone:

Billing Contact:
bill_org:
bill_name: lirong shi
bill_email: gl@beianX.com
bill_address: beijing
bill_city: beijing
bill_state: beijing
bill_zip: 100100
bill_country: CN
bill_phone:

Creation Date: 2013-12-29
Expiration Date: 2014-12-29
Name Servers:
SAFE.QYCN.CN
SAFE.QYCN.COM