[nsp-sec] strange spoofed DNS attack (AS174, AS6453)

Mike Tancsa mike at sentex.net
Sat Sep 11 16:01:00 EDT 2010 

It seems this attack is increasing for me.  I am now seeing two of my 
other recursive name servers being hit with spoofed packets 
originating somewhere upstream from me-- I see flows coming in from 
TATA - 6453 and Cogent AS174

from TATA, the packets being spoofed are 205.211.164.0 through 205.211.164.150
 From Cogent, the packets being spoofed are 199.212.134.0 through 
199.212.134.111


If anyone could take a look to see if they have packets being spoofed 
in their network from 205.211.164.0/32 or 199.212.134.0/32 I would 
appreciate it too.  The attack started over a month ago now and shows 
no sign of letting up and the volume is starting to ramp up since I 
last looked in August. I am not sure how they would have found my 
customer recursive name servers to target in an automated 
way.  205.211.164.51 is not authoritative for anything and is just 
used for my broadband customers

The... DNS cache poisoning? attempts are all domains in Asia it would 
seem.  List below

Here is a sample packet dump
15:53:48.933422 IP (tos 0x0, ttl 4, id 42308, offset 0, flags [DF], 
proto UDP (17), length 61)
     205.211.164.4.42289 > 205.211.164.51.53: [no cksum] 42308+ A? 
images.21cn.com. (33)
         0x0000:  4500 003d a544 4000 0411 ed8c cdd3 a404  E..=.D at .........
         0x0010:  cdd3 a433 a531 0035 0029 0000 a544 0100  ...3.1.5.)...D..
         0x0020:  0001 0000 0000 0000 0669 6d61 6765 7304  .........images.
         0x0030:  3231 636e 0363 6f6d 0000 0100 01         21cn.com.....



123.36578.com.
207liangxiang.peugeot.com.cn.
a.car.315che.com.
a.n.adsame.com.
a.vogue.com.cn.
ad.much8.com.
app.sipo.gov.cn.
assets.fobaby.com.
b2b.ourgame.com.
big5.sipo.gov.cn.
brand.zoshow.com.
cache.vqq.com.
campuss.chinahr.com.
cdn1.v.17173.com.
china.globalmarket.com.
cn.stream.music.cq2.brislabs.com.
cn.stream.music.ovi.com.
complain.5173.com.
cs1.hifly.tv.
css.ku6cdn.com.
d2.tank365.com.
dealer.skoda.com.cn.
download.ch3.qa.vcdn.nokia.com.
download.tianhang.com.cdn20.com.
download1.happy88.com.
ent.ce.cn.
entertainment.self.com.cn.
epaper-ds.ju51.com.
f.95171.cn.
f2.boosj.com.
file.mymedia0.com.
film.bjonline.net.
footer.mlr.gov.cn.
gamekx.tiancity.com.
hao.36578.com.
hao7.9355.com.
hc.xoyo365.com.
health.szonline.net.
html.5173cdn.com.
hubei.the365.com.cn.
i.damai.cn.
i1.ku6img.com.
i2.7k7k.com.
images.21cn.com.
imagescrm.zhenai.com.
img.022.net.
img02.mall.taobaocdn.com.
img2.dianping.com.
imgad2.3conline.com.
info.tjkx.com.
jf.donglink.cn.
js.ku6cdn.com.
juben.qidian.com.
koowo.cdn20.com.
kxlandforsale.xinggeq.com.
learning.hnteacher.net.
liaoning1.the365.com.cn.
list.m18.com.
lms.gdteacher.com.cn.
logo.kximg.cc.
logo.mall.taobaocdn.com.
lottery.sina.2caipiao.com.
mail.126.com.
map.damai.cn.
mrcs.lezi.com.
msupdate.ferrygame.com.
news.tjkx.com.
noah.noahedu.com.
photo.21cn.com.
planet2.static.mulubao.com.
posy.uuu9.com.
project.zhulong.com.
pt2.sinaimg.cn.
q.horise.com.
qq.huaxia2.com.
s.kaixin001.com.cn.
s.lezi.com.
selfclick.21cn.com.
shanghai.taxrefund.com.cn.
share.greedland.net.
share0.ydstatic.cn.
share1.youdao.com.
share4.ydstatic.cn.
share5.ydstatic.com.
shcdnd1.wushen.com.
site.soso.com.
sj1.yokacdn.com.
sjg.qidian.com.
soap1.hunantv.com.
ss3.sinaimg.cn.
sso.xiangrikui.com.
static.hudong.com.
static.m1905.com.
stock.mylearning.com.cn.
stream17.music.soso.com.
stream2.qqmusic.qq.com.
taobao.haodizhi.cc.
taobao.trends.com.cn.
tech.oeeee.com.
tvpic1.bbtv.cn.
video.chinahrt.com.
vkpws.video.qq.com.
vtopws.video.qq.com.
web.cbn-tvie.lxdns.com.
web.tiancity.com.
websearch.mlr.gov.cn.
webservice.ju51.com.
wg1.173zy.com.
wms.ahtv.cn.
ws07.mbbimg.cn.
wudi.hunantv.com.
ww4.the365.com.
www.120top.com.
www.1buso.com.
www.231wg.com.
www.313job.com.
www.586dh.com.
www.91yx.com.
www.9819.info.
www.bangoal.cn.
www.bj.gjtddc.gov.cn.
www.china-gift.com.
www.dduu.com.
www.flowercn.com.
www.funshare.com.cn.
www.gz.gjtddc.gov.cn.
www.jk9988.cn.
www.kingdee.com.
www.live.lrn.cn.
www.m18.com.
www.meitu.com.
www.mysvw.com.
www.netease.com.
www.pee.cn.
www.peugeot.com.cn.
www.pgpop.com.
www.s.cn.
www.snsfun.cc.
www.speak2me.cn.
www.xiangrikui.com.
www.zgkjbd.cdn20.com.
www2.crc.com.cn.
xy2.gdl.netease.com.
xyw.gdl.netease.com.
xz.8zygame.com.
z.makeover.abang.com.
z.marykay.makeover.abang.com.
zj.zhulong.com.




At 06:03 AM 8/10/2010, Mike Tancsa wrote:
>----------- nsp-security Confidential --------
>
>Hi,
>         I have been seeing a rather strange DNS attack... 
> Reflection/poisoning ?. I am not sure who the target is, or even 
> targets. Its not that heavy, but its rather odd and persistent and 
> thought I would mention it here in case its of interest to others.
>
>Originating from somewhere inside AS174 or through (I only see it 
>come in my peer with Cogent), an attacker is spoofing 
>199.212.133.0/24 (not mine) and my /24 (199.212.134.0/24).
>NB* please DONT black hole 199.212.134.0/24
>They are sending a constant spew of DNS requests for a series of 
>domains (~130 of them). A cursory look does not show any obvious 
>pattern of ownership or authoritativeness other than the hosts being Chinese.
>
>eg.
>
>05:23:29.804543 IP 199.212.133.246.33388 > 
>199.212.134.12.53:  43037+ A? oa.canmay.net. (31)
>05:23:30.196683 IP 199.212.133.245.35721 > 
>199.212.134.12.53:  43037+ A? www.sany.com.cn. (33)
>05:23:30.338228 IP 199.212.133.176.37851 > 
>199.212.134.12.53:  43037+ A? product.sanygroup.com. (39)
>05:23:30.503258 IP 199.212.133.211.41577 > 
>199.212.134.12.53:  43037+ A? img.3366.com. (30)
>05:23:30.672535 IP 199.212.133.248.36037 > 
>199.212.134.12.53:  43037+ A? test.5dgz.com. (31)
>05:23:30.852557 IP 199.212.133.233.40446 > 
>199.212.134.12.53:  43037+ A? Home.crc.com.cn. (33)
>05:23:30.945129 IP 199.212.133.244.39538 > 
>199.212.134.12.53:  43037+ A? Data.crc.com.hk. (33)
>05:23:31.205354 IP 199.212.133.181.33648 > 
>199.212.134.12.53:  43037+ A? buy.homevv.com. (32)
>05:23:31.291317 IP 199.212.133.169.35005 > 
>199.212.134.12.53:  43037+ A? hjgds1.9qwan.com. (34)
>05:23:31.380008 IP 199.212.133.207.36661 > 199.212.134.12.53:  43037+[|domain]
>05:23:31.451843 IP 199.212.133.198.36377 > 
>199.212.134.12.53:  43037+ A? www.crc.com.cn. (32)
>05:23:31.551044 IP 199.212.133.210.32835 > 
>199.212.134.12.53:  43037+ A? consumersupport.lenovo.com. (44)
>
>and looking at just one target when allowing the spoofed packets in, 
>the pattern looks like
>
>Aug  9 14:34:33 auth named[677]: client 199.212.133.224#36818: 
>query: His.crc.com.hk IN A +
>Aug  9 14:34:45 auth named[677]: client 199.212.134.109#35836: 
>query: His.crc.com.hk IN A +
>Aug  9 14:34:58 auth named[677]: client 199.212.133.240#41959: 
>query: His.crc.com.hk IN A +
>Aug  9 14:35:11 auth named[677]: client 199.212.134.57#33278: query: 
>His.crc.com.hk IN A +
>Aug  9 14:35:23 auth named[677]: client 199.212.133.197#41075: 
>query: His.crc.com.hk IN A +
>Aug  9 14:35:35 auth named[677]: client 199.212.133.236#40372: 
>query: His.crc.com.hk IN A +
>Aug  9 14:35:48 auth named[677]: client 199.212.134.77#33591: query: 
>His.crc.com.hk IN A +
>Aug  9 14:36:00 auth named[677]: client 199.212.134.90#40102: query: 
>His.crc.com.hk IN A +
>Aug  9 14:36:13 auth named[677]: client 199.212.134.59#37186: query: 
>His.crc.com.hk IN A +
>Aug  9 14:36:26 auth named[677]: client 199.212.133.226#38946: 
>query: His.crc.com.hk IN A +
>Aug  9 14:36:38 auth named[677]: client 199.212.134.89#36032: query: 
>His.crc.com.hk IN A +
>Aug  9 14:36:51 auth named[677]: client 199.212.134.21#40737: query: 
>His.crc.com.hk IN A +
>Aug  9 14:37:03 auth named[677]: client 199.212.134.100#40462: 
>query: His.crc.com.hk IN A +
>Aug  9 14:37:16 auth named[677]: client 199.212.133.176#36062: 
>query: His.crc.com.hk IN A +
>Aug  9 14:37:28 auth named[677]: client 199.212.134.94#41774: query: 
>His.crc.com.hk IN A +
>Aug  9 14:37:41 auth named[677]: client 199.212.133.241#38482: 
>query: His.crc.com.hk IN A +
>Aug  9 14:37:53 auth named[677]: client 199.212.134.103#34939: 
>query: His.crc.com.hk IN A +
>Aug  9 14:38:06 auth named[677]: client 199.212.133.186#38178: 
>query: His.crc.com.hk IN A +
>Aug  9 14:38:19 auth named[677]: client 199.212.134.1#42014: query: 
>His.crc.com.hk IN A +
>Aug  9 14:38:31 auth named[677]: client 199.212.133.221#40277: 
>query: His.crc.com.hk IN A +
>Aug  9 14:38:44 auth named[677]: client 199.212.134.35#38825: query: 
>His.crc.com.hk IN A +
>Aug  9 14:38:56 auth named[677]: client 199.212.133.197#39048: 
>query: His.crc.com.hk IN A +
>Aug  9 14:39:09 auth named[677]: client 199.212.134.63#35157: query: 
>His.crc.com.hk IN A +
>Aug  9 14:39:21 auth named[677]: client 199.212.134.29#42558: query: 
>His.crc.com.hk IN A +
>
>I do allow recursion from 199.212.134.0/24 on the name server 
>199.212.134.12 so I am guessing thats the point of the 
>spoofing.  But not sure what the goal is other than cache poisoning 
>perhaps ?  A full pcap is available www.tancsa.com/baddns.zip
>passwd on the zip file is BADdns2metoday!BADdns2metoday!
>
>It has a pcap of the requests and the full list of domains
># sha256 baddns.zip
>SHA256 (baddns.zip) = 
>2c82b05b8e763cf914b587743ffb94c0b0fdd75bec45f2c48e1db2b5e031b357
>size 901882
>
>The other interesting data point is that they were clever enough to 
>target one of my recursive name servers for my network 
>(199.212.134.12).  Its not authoritative for any domain, so it would 
>have taken them a few extra steps to figure that out.
>
>AS174, it would be great if you could see who is spoofing those 2 
>prefixes and take action if you can.
>
>         ---Mike
>
>
>
>
>
>--------------------------------------------------------------------
>Mike Tancsa,                                      tel +1 519 651 3400
>Sentex Communications,                            mike at sentex.net
>Providing Internet since 1994                    www.sentex.net
>Cambridge, Ontario Canada                         www.sentex.net/mike
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet 
>security counter-measures.
>_______________________________________________

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the nsp-security mailing list