[nsp-sec] zapto.org high dns query rate possible attack and 0/0 ??

Wed Aug 3 11:48:57 EDT 2011

I ran a netflow report using the src ips of these queries and see ~10% of the traffic from them is icmp unreachables (host and port mixed) so this is almost certainly spoofed traffic.

Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a
systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD
Donald.Smith at qwest.com

> -----Original Message-----
> From: Smith, Donald
> Sent: Tuesday, August 02, 2011 1:39 PM
> To: 'Stephen Gill'; 'nsp-security at puck.nether.net'
> Subject: RE: [nsp-sec] zapto.org high dns query rate possible attack
> and 0/0 ??
>
> I knew they were a dyn-dns provider. Why would they be returning
> 0.0.0.0 as the ip for a fqdn?
> It causes traffic towards that FQDN to be blackholed.
>
>
>
> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System
> Software) was a
> systems programming language originally for the PDP-10 and DECsystem-20
> written at CMU." Kevin Oberman RTD
> Donald.Smith at qwest.com
>
>
> > -----Original Message-----
> > From: Stephen Gill [mailto:gillsr at cymru.com]
> > Sent: Tuesday, August 02, 2011 1:09 PM
> > To: Smith, Donald; 'nsp-security at puck.nether.net'
> > Subject: Re: [nsp-sec] zapto.org high dns query rate possible attack
> > and 0/0 ??
> >
> > It's a dynamic dns provider and they don't believe they are getting
> > dosed
> > today, but on other days...  It has been known to happen :).
> >
> > They had a small blip in Chicago ~2 hrs ago but it was brief.
> >
> > -- steve
> >
> >
> > On 8/2/11 12:03 PM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> >
> > > ----------- nsp-security Confidential --------
> > >
> > > Has anyone heard anything about a DOS involving "zapto.org".  We
> are
> > seeing a
> > > lot of off-network queries coming in for a bunch of zapto.org
> names.
> > >
> > > In just a couple of minutes on one of our resolvers we saw queries
> > from 1000
> > > unique IP addresses.
> > >
> > > 18:12:51.503824 IP 174.91.200.74.61777 > 205.171.2.65.53: 36430+ A?
> > > hole2.zapto.org. (33)
> > > 18:12:51.504075 IP 205.214.215.60.9967 > 205.171.2.65.53: 40551+ A?
> > > write3.zapto.org. (34)
> > > 18:12:51.504829 IP 174.112.1.9.15850 > 205.171.2.65.53: 12389+ A?
> > > write3.zapto.org. (34)
> > > 18:12:51.505087 IP 70.53.145.54.7648 > 205.171.2.65.53: 22680+ A?
> > > hole2.zapto.org. (33)
> > > 18:12:51.505703 IP 76.248.150.226.6740 > 205.171.2.65.53: 63147+ A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.507077 IP 99.226.56.24.61476 > 205.171.2.65.53: 9109+ A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.508198 IP 174.112.44.128.6174 > 205.171.2.65.53: 61058+ A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.512223 IP 204.237.81.149.11782 > 205.171.2.65.53: 20949+
> A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.512697 IP 76.68.138.89.22286 > 205.171.2.65.53: 20563+ A?
> > > write2.zapto.org. (34) 18:12:51.513320 IP 184.145.199.51.10661 >
> > > 205.171.2.65.53: 31248+ A? hole2.zapto.org. (33)
> > > 18:12:51.513459 IP 216.26.211.178.13533 > 205.171.2.65.53: 28029+
> A?
> > > write3.zapto.org. (34)
> > > 18:12:51.514949 IP 99.237.69.177.12681 > 205.171.2.65.53: 40762+ A?
> > > write2.zapto.org. (34)
> > > 18:12:51.516824 IP 204.188.164.197.7844 > 205.171.2.65.53: 28305+
> A?
> > > hole3.zapto.org. (33) 18:12:51.524190 IP 209.59.101.161.60328 >
> > > 205.171.2.65.53: 15258+ A? hole3.zapto.org. (33) 18:12:51.524940 IP
> > > 99.236.46.100.45503 > 205.171.2.65.53: 45171+ A? hole2.zapto.org.
> > (33)
> > > 18:12:51.527565 IP 66.186.88.237.5340 > 205.171.2.65.53: 17460+ A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.527817 IP 24.150.142.218.5531 > 205.171.2.65.53: 16127+ A?
> > > hole3.zapto.org. (33)
> > > 18:12:51.528351 IP 207.210.61.179.62030 > 205.171.2.65.53: 5477+ A?
> > > write3.zapto.org. (34) 18:12:51.529940 IP 74.72.167.170.8806 >
> > > 205.171.2.65.53: 51636+ A? 116151.zapto.org. (34)
> > >
> > > They're destined for 205.171.2.65, in Cermak we're getting about
> > 1100/sec, JFK
> > > is getting 700/sec.
> > >
> > > When I checked those names I got back 0.0.0.0 as the ip address
> which
> > isn't a
> > > classic blackhole address but would work as a blackhole address I
> > think.
> > > That also USED to be a broadcast ip in early bsd days as I recall.
> > >
> > >
> > >
> > > Ignorance is Bliss. "Bliss (Basic Language for Implementation of
> > System
> > > Software) was a systems programming language originally for the
> PDP-
> > 10 and
> > > DECsystem-20 written at CMU." Kevin Oberman RTD
> > Donald.Smith at qwest.com
> > >
> > >
> > >
> > > This communication is the property of Qwest and may contain
> > confidential or
> > > privileged information. Unauthorized use of this communication is
> > strictly
> > > prohibited and may be unlawful.  If you have received this
> > communication
> > > in error, please immediately notify the sender by reply e-mail and
> > destroy
> > > all copies of the communication and any attachments.
> > >
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> > security
> > > community. Confidentiality is essential for effective Internet
> > security
> > > counter-measures.
> > > _______________________________________________
> >
> > --
> > Stephen Gill, Chief Scientist, Team Cymru
> > http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com
> >
> > We just launched our new Training Practice, see
> > http://www.team-cymru.com/Services/Training/
> >

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.