[nsp-sec] strange spoofed DNS attack (AS174)

Mike Tancsa mike at sentex.net
Tue Aug 10 06:03:07 EDT 2010 

Hi,
         I have been seeing a rather strange DNS attack... 
Reflection/poisoning ?. I am not sure who the target is, or even 
targets. Its not that heavy, but its rather odd and persistent and 
thought I would mention it here in case its of interest to others.

Originating from somewhere inside AS174 or through (I only see it 
come in my peer with Cogent), an attacker is spoofing 
199.212.133.0/24 (not mine) and my /24 (199.212.134.0/24).
NB* please DONT black hole 199.212.134.0/24
They are sending a constant spew of DNS requests for a series of 
domains (~130 of them). A cursory look does not show any obvious 
pattern of ownership or authoritativeness other than the hosts being Chinese.

eg.

05:23:29.804543 IP 199.212.133.246.33388 > 199.212.134.12.53:  43037+ 
A? oa.canmay.net. (31)
05:23:30.196683 IP 199.212.133.245.35721 > 199.212.134.12.53:  43037+ 
A? www.sany.com.cn. (33)
05:23:30.338228 IP 199.212.133.176.37851 > 199.212.134.12.53:  43037+ 
A? product.sanygroup.com. (39)
05:23:30.503258 IP 199.212.133.211.41577 > 199.212.134.12.53:  43037+ 
A? img.3366.com. (30)
05:23:30.672535 IP 199.212.133.248.36037 > 199.212.134.12.53:  43037+ 
A? test.5dgz.com. (31)
05:23:30.852557 IP 199.212.133.233.40446 > 199.212.134.12.53:  43037+ 
A? Home.crc.com.cn. (33)
05:23:30.945129 IP 199.212.133.244.39538 > 199.212.134.12.53:  43037+ 
A? Data.crc.com.hk. (33)
05:23:31.205354 IP 199.212.133.181.33648 > 199.212.134.12.53:  43037+ 
A? buy.homevv.com. (32)
05:23:31.291317 IP 199.212.133.169.35005 > 199.212.134.12.53:  43037+ 
A? hjgds1.9qwan.com. (34)
05:23:31.380008 IP 199.212.133.207.36661 > 199.212.134.12.53:  43037+[|domain]
05:23:31.451843 IP 199.212.133.198.36377 > 199.212.134.12.53:  43037+ 
A? www.crc.com.cn. (32)
05:23:31.551044 IP 199.212.133.210.32835 > 199.212.134.12.53:  43037+ 
A? consumersupport.lenovo.com. (44)

and looking at just one target when allowing the spoofed packets in, 
the pattern looks like

Aug  9 14:34:33 auth named[677]: client 199.212.133.224#36818: query: 
His.crc.com.hk IN A +
Aug  9 14:34:45 auth named[677]: client 199.212.134.109#35836: query: 
His.crc.com.hk IN A +
Aug  9 14:34:58 auth named[677]: client 199.212.133.240#41959: query: 
His.crc.com.hk IN A +
Aug  9 14:35:11 auth named[677]: client 199.212.134.57#33278: query: 
His.crc.com.hk IN A +
Aug  9 14:35:23 auth named[677]: client 199.212.133.197#41075: query: 
His.crc.com.hk IN A +
Aug  9 14:35:35 auth named[677]: client 199.212.133.236#40372: query: 
His.crc.com.hk IN A +
Aug  9 14:35:48 auth named[677]: client 199.212.134.77#33591: query: 
His.crc.com.hk IN A +
Aug  9 14:36:00 auth named[677]: client 199.212.134.90#40102: query: 
His.crc.com.hk IN A +
Aug  9 14:36:13 auth named[677]: client 199.212.134.59#37186: query: 
His.crc.com.hk IN A +
Aug  9 14:36:26 auth named[677]: client 199.212.133.226#38946: query: 
His.crc.com.hk IN A +
Aug  9 14:36:38 auth named[677]: client 199.212.134.89#36032: query: 
His.crc.com.hk IN A +
Aug  9 14:36:51 auth named[677]: client 199.212.134.21#40737: query: 
His.crc.com.hk IN A +
Aug  9 14:37:03 auth named[677]: client 199.212.134.100#40462: query: 
His.crc.com.hk IN A +
Aug  9 14:37:16 auth named[677]: client 199.212.133.176#36062: query: 
His.crc.com.hk IN A +
Aug  9 14:37:28 auth named[677]: client 199.212.134.94#41774: query: 
His.crc.com.hk IN A +
Aug  9 14:37:41 auth named[677]: client 199.212.133.241#38482: query: 
His.crc.com.hk IN A +
Aug  9 14:37:53 auth named[677]: client 199.212.134.103#34939: query: 
His.crc.com.hk IN A +
Aug  9 14:38:06 auth named[677]: client 199.212.133.186#38178: query: 
His.crc.com.hk IN A +
Aug  9 14:38:19 auth named[677]: client 199.212.134.1#42014: query: 
His.crc.com.hk IN A +
Aug  9 14:38:31 auth named[677]: client 199.212.133.221#40277: query: 
His.crc.com.hk IN A +
Aug  9 14:38:44 auth named[677]: client 199.212.134.35#38825: query: 
His.crc.com.hk IN A +
Aug  9 14:38:56 auth named[677]: client 199.212.133.197#39048: query: 
His.crc.com.hk IN A +
Aug  9 14:39:09 auth named[677]: client 199.212.134.63#35157: query: 
His.crc.com.hk IN A +
Aug  9 14:39:21 auth named[677]: client 199.212.134.29#42558: query: 
His.crc.com.hk IN A +

I do allow recursion from 199.212.134.0/24 on the name server 
199.212.134.12 so I am guessing thats the point of the spoofing.  But 
not sure what the goal is other than cache poisoning perhaps ?  A 
full pcap is available www.tancsa.com/baddns.zip
passwd on the zip file is BADdns2metoday!BADdns2metoday!

It has a pcap of the requests and the full list of domains
# sha256 baddns.zip
SHA256 (baddns.zip) = 
2c82b05b8e763cf914b587743ffb94c0b0fdd75bec45f2c48e1db2b5e031b357
size 901882

The other interesting data point is that they were clever enough to 
target one of my recursive name servers for my network 
(199.212.134.12).  Its not authoritative for any domain, so it would 
have taken them a few extra steps to figure that out.

AS174, it would be great if you could see who is spoofing those 2 
prefixes and take action if you can.

         ---Mike





--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the nsp-security mailing list