[nsp-sec] zapto.org high dns query rate possible attack and 0/0 ??

Tue Aug 2 15:03:31 EDT 2011

Has anyone heard anything about a DOS involving "zapto.org".  We are seeing a lot of off-network queries coming in for a bunch of zapto.org names.

In just a couple of minutes on one of our resolvers we saw queries from 1000 unique IP addresses.

18:12:51.503824 IP 174.91.200.74.61777 > 205.171.2.65.53: 36430+ A? hole2.zapto.org. (33)
18:12:51.504075 IP 205.214.215.60.9967 > 205.171.2.65.53: 40551+ A? write3.zapto.org. (34)
18:12:51.504829 IP 174.112.1.9.15850 > 205.171.2.65.53: 12389+ A? write3.zapto.org. (34)
18:12:51.505087 IP 70.53.145.54.7648 > 205.171.2.65.53: 22680+ A? hole2.zapto.org. (33)
18:12:51.505703 IP 76.248.150.226.6740 > 205.171.2.65.53: 63147+ A? hole3.zapto.org. (33)
18:12:51.507077 IP 99.226.56.24.61476 > 205.171.2.65.53: 9109+ A? hole3.zapto.org. (33)
18:12:51.508198 IP 174.112.44.128.6174 > 205.171.2.65.53: 61058+ A? hole3.zapto.org. (33)
18:12:51.512223 IP 204.237.81.149.11782 > 205.171.2.65.53: 20949+ A? hole3.zapto.org. (33)
18:12:51.512697 IP 76.68.138.89.22286 > 205.171.2.65.53: 20563+ A? write2.zapto.org. (34) 18:12:51.513320 IP 184.145.199.51.10661 > 205.171.2.65.53: 31248+ A? hole2.zapto.org. (33)
18:12:51.513459 IP 216.26.211.178.13533 > 205.171.2.65.53: 28029+ A? write3.zapto.org. (34)
18:12:51.514949 IP 99.237.69.177.12681 > 205.171.2.65.53: 40762+ A? write2.zapto.org. (34)
18:12:51.516824 IP 204.188.164.197.7844 > 205.171.2.65.53: 28305+ A? hole3.zapto.org. (33) 18:12:51.524190 IP 209.59.101.161.60328 > 205.171.2.65.53: 15258+ A? hole3.zapto.org. (33) 18:12:51.524940 IP 99.236.46.100.45503 > 205.171.2.65.53: 45171+ A? hole2.zapto.org. (33)
18:12:51.527565 IP 66.186.88.237.5340 > 205.171.2.65.53: 17460+ A? hole3.zapto.org. (33)
18:12:51.527817 IP 24.150.142.218.5531 > 205.171.2.65.53: 16127+ A? hole3.zapto.org. (33)
18:12:51.528351 IP 207.210.61.179.62030 > 205.171.2.65.53: 5477+ A? write3.zapto.org. (34) 18:12:51.529940 IP 74.72.167.170.8806 > 205.171.2.65.53: 51636+ A? 116151.zapto.org. (34)

They're destined for 205.171.2.65, in Cermak we're getting about 1100/sec, JFK is getting 700/sec.

When I checked those names I got back 0.0.0.0 as the ip address which isn't a classic blackhole address but would work as a blackhole address I think.
That also USED to be a broadcast ip in early bsd days as I recall.

Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD Donald.Smith at qwest.com

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.