[dnsdist] dns-spider

David opendak at shaw.ca
Wed Jul 13 14:31:54 UTC 2016 

On 2016-07-11 2:09 AM, Aleš Rygl wrote:
>
>
> Hi dnsdist users.
>
> I would like to share a little finding with
> you. We have been suffering from pseudorandom subdomain attacks fo more
> than two years mainly because openresolvers in crappy CPEs of our
> customers. While analyzing the DNS traffic using topResponses in dnsdist
> (thanks!) I have noticed that there is an non negligible amount of
> queries like this:
>
> 89.24.226.150 -> 93.153.117.1 DNS 131 Standard
> query 0x45f8 A
> 13070798-0-2081296634-622260844.ns.124-14-16-250-ns.dns-spider.myxns.cn
>
> 89.24.226.150 -> 93.153.117.1 DNS 130 Standard query 0x57f7 A
> 7231664-0-1896986649-671701647.ns.113-17-184-25-ns.dns-spider.myxns.cn
>
> 89.24.226.150 -> 93.153.117.1 DNS 130 Standard query 0x9c0c A
> 7231664-0-1896986649-671701647.ns.113-17-184-25-ns.dns-spider.myxns.cn
>
>
> 46.13.117.67 -> 93.153.117.1 DNS 130 Standard query 0x08fd A
> 2434136-0-3661366674-4096880849.ns.218-60-5-146-ns.dns-spider.myxns.cn
> 46.13.117.67
> -> 93.153.117.1 DNS 130 Standard query 0xf473 A
> 2434136-0-3661366674-4096880849.ns.218-60-5-146-ns.dns-spider.myxns.cn
>
>
> They are coming from clients wit openresolvers. I supposed that this
> traffic is malicious and it nothing what would a real user created by
> browsing web pages, etc. I have created rules dropping such traffic:
>
>
> addAction(RegexRule("dns-spider.*\.cn$"),
> DropAction())
> addAction(RegexRule("dns-spider.*\.net$"),
> DropAction())
> addAction(RegexRule("dns-spider.*\.org$"),
> DropAction())
> addAction(RegexRule("dns-spider.*\.com$"), DropAction())
>
>
> I have more than 100k hits per day for the first rule and thousands
> for the second one. To my surprise the pseudorandom subdomain attack
> stopped since the rules are installed! And it last more than two months.
> My idea is that some bad guys are using specially crafted queries above
> to detect openresolvers and exploit them later on as the query reaches
> the authoritative NS where can be matched with the IP of the initial
> target.
>

Which domains were you seeing for these? myxns.cn and ffdns.net are the 
ones we see lots of traffic for. They normally seem to end up pretty 
deep in delegations where none of the servers will actually respond with 
an answer and so they eventually timeout (causing the recursor much work 
in the process). Occasionally they do resolve the entry to an 10.x address.

Oddly enough, ffdns.net does seem to host some "legit" domains which 
seems odd that they would apply this on top of their name servers.

> And maybe one more interesting thing. Some CPEs have something
> like "hidden openresolver". They will not answer you if you query them
> on WAN nevertheless they send the query to the upstream resolver which
> allow them to be exploited as well.
>
> With regards
>
> Ales
>
>
>
>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>

More information about the dnsdist mailing list