Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Report of spike in DNS Queries gd21.net - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Report of spike in DNS Queries gd21.net

A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.

Here is a snip from logs, slightly edited.

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E

** used with permission **

gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links


Is anyone else seeing this? If so could you report it?

 

 

Richard Porter

--- ISC Handler on Duty

Richard

161 Posts
ISC Handler
We've seen this sort of thing in the past, but it was a Spoofed UDP packet doing an ANY request for ripe.net on an open resolver.

Of course the spoofed source was the IP being attacked.
Yinette

12 Posts
As the original reporter, I can say the source is not spoofed. I have OSSEC adding "shuns" to our ASA based on source and that immediately stops that particular request, showing the requesting address is not spoofed.
Yinette
7 Posts
Jul 24 2012 20:16:47: %ASA-4-401004: Shunned packet: XXX.XXX.218.92 ==> XXX.XXX.18.114 on interface outside

sh shun stat | include XXX.XXX.218.92
Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13)
Yinette
7 Posts
It seems like most of the packets being sent over and over are coming from the same ip address which would indicate a DOS attack.
Yinette
3 Posts
nope. When it started I had around 40 shuns/IPs, once we reconfigured OSSEC to automatically block the queries new IPs cropped up within a few seconds (30-60 sec). I am up to 500+ shuns now. Now, new attacks show up every 3-4 minutes.
Yinette
7 Posts
@Eric - I should qualify my last statement: my log portion above was just one IP from many. There seems to be no common thread as to where the IPs are coming from.
Yinette
7 Posts
That's interesting that you can't identify where the IPs are coming from. How long has this attack been going on for?

I see that from the above logs posted that it was happening this afternoon at 12:31PM.
Yinette
3 Posts
> That's interesting that you can't identify where the IPs are coming from.

Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender.

One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target.

Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating.

Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from 'info@fbi.gov' or from 'helpdesk' at my ISP ?
Anonymous
@ Scott. Is it just IN TXT records being queried? Could the source addresses be DNS or SMTP servers? Could this be side effect of a big Spam run using the gd21.net domain in the From: field?
Anonymous
when I said "I cant identify where they are coming from" I mean there is no one geographic location. They are coming from Brazil, the US, etc...

@George - Yes, the query is looking for gd21.net IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type.

Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning:

Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside

and from the config:

shun (outside) XXX.232.121.191 0.0.0.0 0 0 0

That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us.
Anonymous
@Scott I was thinking it might be a bot. Well that's good that the traffic is down to normal levels.

Yeah the open ports could be also a clue.
Anonymous
Ok after some (very) patient discussion with me, the SANS guys allowed me to see the forest for the trees. The source IPs are likely spoofed, and while my shuns blocked the spoofed IP, the attacker would just move to the next spoofed target. The simple solution was to disable recursion for all but what IPs we need. (That creates a few issues, but nothing we cant work through)

Again, thanks guys for helping pound this through my thick skull.

S.
Anonymous
This looks to me like traffic from a DNS Reflection DDOS attack. The TXT records are larger in size than the original DNS query therefore there is a traffic amplification often of the order 60:1 .
Anonymous
DNS Reflection Attack How To :
1) Register a domain and host it
2) Add a TXT record
3) Find some name servers that allow recursion and prime them for the attack by querying your DOMAIN TXT record.
4) Find a internet connection without egress filtering
5) Spoof DNS requests at your primed name server which will flood the target network with traffic with an amplification of roughly 60:1 depending on what you set you TXT record to be. A 5GB per second attack can be achieved this way with around 200 bots.

DDJ
Anonymous
Looks like you are helping take http://cybercrone.kr/ down

DDJ
Anonymous
.cyberone.kr. rather :)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!