[nsp-sec] zapto.org high dns query rate possible attack and 0/0 ??

Tue Aug 2 15:09:14 EDT 2011

It's a dynamic dns provider and they don't believe they are getting dosed
today, but on other days...  It has been known to happen :).

They had a small blip in Chicago ~2 hrs ago but it was brief.

-- steve

On 8/2/11 12:03 PM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> ----------- nsp-security Confidential --------
> 
> Has anyone heard anything about a DOS involving "zapto.org".  We are seeing a
> lot of off-network queries coming in for a bunch of zapto.org names.
> 
> In just a couple of minutes on one of our resolvers we saw queries from 1000
> unique IP addresses.
> 
> 18:12:51.503824 IP 174.91.200.74.61777 > 205.171.2.65.53: 36430+ A?
> hole2.zapto.org. (33)
> 18:12:51.504075 IP 205.214.215.60.9967 > 205.171.2.65.53: 40551+ A?
> write3.zapto.org. (34)
> 18:12:51.504829 IP 174.112.1.9.15850 > 205.171.2.65.53: 12389+ A?
> write3.zapto.org. (34)
> 18:12:51.505087 IP 70.53.145.54.7648 > 205.171.2.65.53: 22680+ A?
> hole2.zapto.org. (33)
> 18:12:51.505703 IP 76.248.150.226.6740 > 205.171.2.65.53: 63147+ A?
> hole3.zapto.org. (33)
> 18:12:51.507077 IP 99.226.56.24.61476 > 205.171.2.65.53: 9109+ A?
> hole3.zapto.org. (33)
> 18:12:51.508198 IP 174.112.44.128.6174 > 205.171.2.65.53: 61058+ A?
> hole3.zapto.org. (33)
> 18:12:51.512223 IP 204.237.81.149.11782 > 205.171.2.65.53: 20949+ A?
> hole3.zapto.org. (33)
> 18:12:51.512697 IP 76.68.138.89.22286 > 205.171.2.65.53: 20563+ A?
> write2.zapto.org. (34) 18:12:51.513320 IP 184.145.199.51.10661 >
> 205.171.2.65.53: 31248+ A? hole2.zapto.org. (33)
> 18:12:51.513459 IP 216.26.211.178.13533 > 205.171.2.65.53: 28029+ A?
> write3.zapto.org. (34)
> 18:12:51.514949 IP 99.237.69.177.12681 > 205.171.2.65.53: 40762+ A?
> write2.zapto.org. (34)
> 18:12:51.516824 IP 204.188.164.197.7844 > 205.171.2.65.53: 28305+ A?
> hole3.zapto.org. (33) 18:12:51.524190 IP 209.59.101.161.60328 >
> 205.171.2.65.53: 15258+ A? hole3.zapto.org. (33) 18:12:51.524940 IP
> 99.236.46.100.45503 > 205.171.2.65.53: 45171+ A? hole2.zapto.org. (33)
> 18:12:51.527565 IP 66.186.88.237.5340 > 205.171.2.65.53: 17460+ A?
> hole3.zapto.org. (33)
> 18:12:51.527817 IP 24.150.142.218.5531 > 205.171.2.65.53: 16127+ A?
> hole3.zapto.org. (33)
> 18:12:51.528351 IP 207.210.61.179.62030 > 205.171.2.65.53: 5477+ A?
> write3.zapto.org. (34) 18:12:51.529940 IP 74.72.167.170.8806 >
> 205.171.2.65.53: 51636+ A? 116151.zapto.org. (34)
> 
> They're destined for 205.171.2.65, in Cermak we're getting about 1100/sec, JFK
> is getting 700/sec.
> 
> When I checked those names I got back 0.0.0.0 as the ip address which isn't a
> classic blackhole address but would work as a blackhole address I think.
> That also USED to be a broadcast ip in early bsd days as I recall.
> 
> 
> 
> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System
> Software) was a systems programming language originally for the PDP-10 and
> DECsystem-20 written at CMU." Kevin Oberman RTD Donald.Smith at qwest.com
> 
> 
> 
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com

We just launched our new Training Practice, see
http://www.team-cymru.com/Services/Training/