[nsp-sec] Abnormal increase of DNS query around 13:00 ~ 15:00 (GMT +00:00) May 19th ?
Yonglin ZHOU
yonglin.zhou at gmail.com
Thu May 21 20:58:52 EDT 2009
Actually, after jointly investigation with ISPs and Baofeng.com, we
have basically identify the reason. Later, the government has
published a report on their website:
http://www.miit.gov.cn/n11293472/n11293832/n11293907/n11368223/12365340.html
of course, it is in Chinese. Sorry for that.
We had thought it to be a large scale DDOS attack to DNS servers. But
the attack source are so huge and so distributed (with real IP), and
the most important is that, the source mainly 'attack' local DNS
servers ( i.e. default dns) -- for instant, DNS servers that out of
China have not suffered.
After tracing the queries, we found that most of them are request IP
of baofeng.com. And during the incident, baofeng.com was unavailable.
The queries are from the users of baofeng.com. These users all in
installed the free online video player of baofeng.com. The software
will connect to servers of baofeng.com for media news and update
message, etc. If cannot reach the server, it will retry very
frequently. So when the domain -- baofeng.com was unavailable,
thousands of computers send queries to the DNS in short time. And the
DNS have to recursively send requests TLD servers and then reply the
PCs.
This incident reminds us to pay attention to the vulnerability of
online working software. They may not have a flaw in the code but they
may have inappropriate networking mechanism.
Hope above information helpful to the list members and please keep it
in list only.
Best regards,
Yonglin.
On Thu, May 21, 2009 at 11:08 PM, Yiming Gong <yiming.gong at xo.com> wrote:
> Looks like the lots of provinces in China was having problem, people over at
> this pages reported DNS issue all over China.
>
> http://www.cnbeta.com/articles/84652.htm#ncomment
>
> Regards!
>
> Yiming
> On 05/20/2009 03:27 AM, Dave Burke wrote:
>>
>> ----------- nsp-security Confidential --------
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Yes, but for us it was later. Between 20:00 and 21:00 (UTC) last night, we
>> saw
>> a spike in DNS queries originating from AS4134 and AS4837.
>>
>> dave
>>
>> Yonglin ZHOU wrote:
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> Hello colleagues,
>>>
>>> Last night , around 21:00 ~ 23:00 (Beijing Time -- GMT +08:00), or
>>> 13:00 ~ 15:00 (GMT +00:00), we saw dramatically increase of DNS
>>> queries. Did any team notice similar trend ?
>>>
>>> Thanks.
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkoTvwEACgkQvMJ1IGjTxcGXhACgom1cf1GsGY8EKRiOxxbPVDBd
>> TqoAnirUAdbJV1ORlwj2P+PoT/ttIifs
>> =ifX1
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> Amazon Data Services Ireland Limited registered office: Riverside One, Sir
>> John Rogerson's Quay, Dublin 2, Ireland. Registered in Ireland. Registration
>> number 390566.
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>>
>
>
>
--
----------------- Enjoy the life --------------------
Yonglin ZHOU
Fix line: + 86 10 8299 0355 Fax: +86 10 8299 0399
Email: zyl at cert.org.cn, yonglin.zhou at gmail.com
-------------------------------------------------------------------------
More information about the nsp-security
mailing list