[nsp-sec] zapto.org high dns query rate possible attack and 0/0 ??

Stephen Gill gillsr at cymru.com
Wed Aug 3 11:58:17 EDT 2011 

Nice spot!

-- steve

On 8/3/11 8:48 AM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> I ran a netflow report using the src ips of these queries and see ~10% of the
> traffic from them is icmp unreachables (host and port mixed) so this is almost
> certainly spoofed traffic.
> 
> 
> 
> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System
> Software) was a
> systems programming language originally for the PDP-10 and DECsystem-20
> written at CMU." Kevin Oberman RTD
> Donald.Smith at qwest.com
> 
> 
>> -----Original Message-----
>> From: Smith, Donald
>> Sent: Tuesday, August 02, 2011 1:39 PM
>> To: 'Stephen Gill'; 'nsp-security at puck.nether.net'
>> Subject: RE: [nsp-sec] zapto.org high dns query rate possible attack
>> and 0/0 ??
>> 
>> I knew they were a dyn-dns provider. Why would they be returning
>> 0.0.0.0 as the ip for a fqdn?
>> It causes traffic towards that FQDN to be blackholed.
>> 
>> 
>> 
>> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System
>> Software) was a
>> systems programming language originally for the PDP-10 and DECsystem-20
>> written at CMU." Kevin Oberman RTD
>> Donald.Smith at qwest.com
>> 
>> 
>>> -----Original Message-----
>>> From: Stephen Gill [mailto:gillsr at cymru.com]
>>> Sent: Tuesday, August 02, 2011 1:09 PM
>>> To: Smith, Donald; 'nsp-security at puck.nether.net'
>>> Subject: Re: [nsp-sec] zapto.org high dns query rate possible attack
>>> and 0/0 ??
>>> 
>>> It's a dynamic dns provider and they don't believe they are getting
>>> dosed
>>> today, but on other days...  It has been known to happen :).
>>> 
>>> They had a small blip in Chicago ~2 hrs ago but it was brief.
>>> 
>>> -- steve
>>> 
>>> 
>>> On 8/2/11 12:03 PM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:
>>> 
>>>> ----------- nsp-security Confidential --------
>>>> 
>>>> Has anyone heard anything about a DOS involving "zapto.org".  We
>> are
>>> seeing a
>>>> lot of off-network queries coming in for a bunch of zapto.org
>> names.
>>>> 
>>>> In just a couple of minutes on one of our resolvers we saw queries
>>> from 1000
>>>> unique IP addresses.
>>>> 
>>>> 18:12:51.503824 IP 174.91.200.74.61777 > 205.171.2.65.53: 36430+ A?
>>>> hole2.zapto.org. (33)
>>>> 18:12:51.504075 IP 205.214.215.60.9967 > 205.171.2.65.53: 40551+ A?
>>>> write3.zapto.org. (34)
>>>> 18:12:51.504829 IP 174.112.1.9.15850 > 205.171.2.65.53: 12389+ A?
>>>> write3.zapto.org. (34)
>>>> 18:12:51.505087 IP 70.53.145.54.7648 > 205.171.2.65.53: 22680+ A?
>>>> hole2.zapto.org. (33)
>>>> 18:12:51.505703 IP 76.248.150.226.6740 > 205.171.2.65.53: 63147+ A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.507077 IP 99.226.56.24.61476 > 205.171.2.65.53: 9109+ A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.508198 IP 174.112.44.128.6174 > 205.171.2.65.53: 61058+ A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.512223 IP 204.237.81.149.11782 > 205.171.2.65.53: 20949+
>> A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.512697 IP 76.68.138.89.22286 > 205.171.2.65.53: 20563+ A?
>>>> write2.zapto.org. (34) 18:12:51.513320 IP 184.145.199.51.10661 >
>>>> 205.171.2.65.53: 31248+ A? hole2.zapto.org. (33)
>>>> 18:12:51.513459 IP 216.26.211.178.13533 > 205.171.2.65.53: 28029+
>> A?
>>>> write3.zapto.org. (34)
>>>> 18:12:51.514949 IP 99.237.69.177.12681 > 205.171.2.65.53: 40762+ A?
>>>> write2.zapto.org. (34)
>>>> 18:12:51.516824 IP 204.188.164.197.7844 > 205.171.2.65.53: 28305+
>> A?
>>>> hole3.zapto.org. (33) 18:12:51.524190 IP 209.59.101.161.60328 >
>>>> 205.171.2.65.53: 15258+ A? hole3.zapto.org. (33) 18:12:51.524940 IP
>>>> 99.236.46.100.45503 > 205.171.2.65.53: 45171+ A? hole2.zapto.org.
>>> (33)
>>>> 18:12:51.527565 IP 66.186.88.237.5340 > 205.171.2.65.53: 17460+ A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.527817 IP 24.150.142.218.5531 > 205.171.2.65.53: 16127+ A?
>>>> hole3.zapto.org. (33)
>>>> 18:12:51.528351 IP 207.210.61.179.62030 > 205.171.2.65.53: 5477+ A?
>>>> write3.zapto.org. (34) 18:12:51.529940 IP 74.72.167.170.8806 >
>>>> 205.171.2.65.53: 51636+ A? 116151.zapto.org. (34)
>>>> 
>>>> They're destined for 205.171.2.65, in Cermak we're getting about
>>> 1100/sec, JFK
>>>> is getting 700/sec.
>>>> 
>>>> When I checked those names I got back 0.0.0.0 as the ip address
>> which
>>> isn't a
>>>> classic blackhole address but would work as a blackhole address I
>>> think.
>>>> That also USED to be a broadcast ip in early bsd days as I recall.
>>>> 
>>>> 
>>>> 
>>>> Ignorance is Bliss. "Bliss (Basic Language for Implementation of
>>> System
>>>> Software) was a systems programming language originally for the
>> PDP-
>>> 10 and
>>>> DECsystem-20 written at CMU." Kevin Oberman RTD
>>> Donald.Smith at qwest.com
>>>> 
>>>> 
>>>> 
>>>> This communication is the property of Qwest and may contain
>>> confidential or
>>>> privileged information. Unauthorized use of this communication is
>>> strictly
>>>> prohibited and may be unlawful.  If you have received this
>>> communication
>>>> in error, please immediately notify the sender by reply e-mail and
>>> destroy
>>>> all copies of the communication and any attachments.
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>> 
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>>> security
>>>> community. Confidentiality is essential for effective Internet
>>> security
>>>> counter-measures.
>>>> _______________________________________________
>>> 
>>> --
>>> Stephen Gill, Chief Scientist, Team Cymru
>>> http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com
>>> 
>>> We just launched our new Training Practice, see
>>> http://www.team-cymru.com/Services/Training/
>>> 
> 
> 
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.team-cymru.org | +1 630 230 5423 | gillsr at cymru.com

We just launched our new Training Practice, see
http://www.team-cymru.com/Services/Training/

More information about the nsp-security mailing list