[nsp-sec] High DNS load in germany (UPDATE)

Tom Daly tom at dyn.com
Mon Jan 11 12:30:40 EST 2010 

Peter,
What's the IPs for your authoritative boxes? We'll check our recursives.

Tom

Sent from my handheld; please excuse typos and spelling mistakes.

-----Original Message-----

From: <P.Quick at telekom.de>
Sent: Mon, 11 Jan 2010 9:18:26 AM America/Los_Angeles
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] High DNS load in germany (UPDATE)


----------- nsp-security Confidential --------

Hi all,

At the weekend be got hit by another high load against our DNS :(
(Saturday and Sunday between 18:00 and 20:30 (UTC+1)

Again it was just in-addr.arpa queries (reverse lookups) from all over the world.

On my point of view, this high load is not realy an attack, but a side-effect
 from malicious traffic from our own customer. (maybe portscans or sending SPAM).

So what i'm thinking about the scenario:
- many of our customers are infected by a new malware
- they are used for distributing SPAM or to portscanning to IP-Addresses all over the world
- The target mailservers or attacked hosts make a reverse-lookup to the attacking 
   ip-address (our customer)
- this produced a high load at our DNS for the hugh number of in-addr.arpa queries.


But again, this is only a assumption from my side.

Does anybody have a idea, how we can verify if this scenario is realy the 
 reason for the 700% rise of in-addr.arpa queries against our DNS ??

It's look like most of the queries are comming from the DNS-resolver from 
 ISPs all over the world. 

Because we see only the DNS Server in your network, it's impossible for us to 
 say anything about the real source of the in-addr.arpa queries.
 So one question is, if this queries are produced by a small number of clients or if 
 a lot of systems produce this queries.
 If it's only a small number of sources, maybe we can find out, if there is
 another reason for this high number of in-addr.arpa queries.

Does anybody from you have the possibility to trace the real sources of in-addr.arpa queries
 towards AS3320 ??? 
 Any help is realy welcome :)

Greetings, 
Peter



PS:
By analysing the DNS traffic, we think we have found 2 DNS from ThePlanet.com,
 which are not right configured => no cache function.
Is someone from ThePlanet.com is on the list, maybe he can take a look at this DNS:)




Nameserver defekt Nr. 1.)
162.74.85.70.in-addr.arpa. 86400 IN     PTR     a2.4a.5546.static.theplanet.com.
; <<>> DiG 9.4.3-P3 <<>> @70.85.74.162 version.bind ch txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1050
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "54-68-69-73-20-73-70-61-63-65-20-69-6E-74-65-6E-74-69-6F-6E-61-6C-6C-79-20-6C-65-66-74-20-62-6C-61-6E-6B" ""

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; ADDITIONAL SECTION:
ServerReturned.Answer.  50      IN      A       192.58.128.30

;; Query time: 168 msec
;; SERVER: 70.85.74.162#53(70.85.74.162)
;; WHEN: Sat Jan  9 17:26:20 2010
;; MSG SIZE  rcvd: 235


Nameserver defekt Nr. 2.)
226.138.84.70.in-addr.arpa. 86400 IN    PTR     e2.8a.5446.static.theplanet.com.
; <<>> DiG 9.4.3-P3 <<>> @70.84.138.226 version.bind ch txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 594
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "39-2E-36-2E-31-2D-50-31" ""

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; ADDITIONAL SECTION:
ServerReturned.Answer.  50      IN      A       192.228.79.201

;; Query time: 205 msec
;; SERVER: 70.84.138.226#53(70.84.138.226)
;; WHEN: Sat Jan  9 17:25:36 2010
;; MSG SIZE  rcvd: 154




Mit freundlichen Gr??en 
Peter Quick 


Deutsche Telekom AG 
Service Zentrale, Group IT Security 
Peter Quick 
SZT-1 
Karl-Lange Strasse 29, 44791 Bochum 
+49 234 505 7800 (Tel.) 
+49 2151 3660 4770 (Fax) 
+49 160 7083944 (Mobil) 
E-Mail: p.quick at telekom.de 
http://www.telekom.com 

Erleben, was verbindet.

Deutsche Telekom AG 
Aufsichtsrat: Prof. Dr. Ulrich Lehner (Vorsitzender) 
Vorstand: Ren? Obermann (Vorsitzender),
Hamid Akhavan, Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
Timotheus H?ttges, Guido Kerkhoff, Thomas Sattelberger 
Handelsregister: Amtsgericht Bonn HRB 6794 
Sitz der Gesellschaft: Bonn 
WEEE-Reg.-Nr.: DE50478376




-----Urspr?ngliche Nachricht-----
Von: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] Im Auftrag von Quick, Peter
Gesendet: Donnerstag, 7. Januar 2010 18:54
An: nsp-security at puck.nether.net
Betreff: [nsp-sec] High DNS load in germany

----------- nsp-security Confidential --------

Hello nsp-sec,

During the last days, there are a lot of  reports, that serveral german ISPs 
 have massiv problems with their DNS systems. 
 Major outages were reportet (eg.  1und1, InterntX, schlund,)
 example: http://www.h-online.com/security/news/item/Attack-on-InterNetX-s-DNS-servers-898190.html

Since yesterday we also monitor a 500% increase  of traffic 
 towards our authorised DNS. (till now we don't have any customer impact)
 (mostly against dns01.btx.dtag.de and dns04.btx.dtag.de).

The hugh traffic is only temporary and from serveral sources all over the world.

I have tried to find some information, what coulde be the reason for this big 
 traffic increas.
 Because of this i found the statistic-site from DENIC, about the 
 performace of the k-root-server of the DENIC.
 http://k.root-servers.org/statistics/ROOT/recursion.html
 There you can also seen an hugh increas of Recursion Requests since december.
 (about 700%, also only temporary)

Does anybony see the same traffic-increase and does anybody know
 whats the reason for that ?

In the moment i try to get in contact to other german ISP.
 But my personal contacts didn't responde since now.
 So if anybody from 1und1, schlund, InterntX ... is on the list 
 and is interest in sharing some information about this issue,
 feel free to contact me offline.


Greetings,
Peter Quick 


Deutsche Telekom AG 
Service Zentrale, Group IT Security 
Peter Quick 
SZT-1 
Karl-Lange Strasse 29, 44791 Bochum 
+49 234 505 7800 (Tel.) 
+49 2151 3660 4770 (Fax) 
+49 160 7083944 (Mobil) 
E-Mail: p.quick at telekom.de 
http://www.telekom.com 

Erleben, was verbindet.

Deutsche Telekom AG 
Aufsichtsrat: Prof. Dr. Ulrich Lehner (Vorsitzender) 
Vorstand: Ren? Obermann (Vorsitzender),
Hamid Akhavan, Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
Timotheus H?ttges, Guido Kerkhoff, Thomas Sattelberger 
Handelsregister: Amtsgericht Bonn HRB 6794 
Sitz der Gesellschaft: Bonn 
WEEE-Reg.-Nr.: DE50478376






_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list