Report of spike in DNS Queries gd21.net
A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.
Here is a snip from logs, slightly edited.
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E
** used with permission **
gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links
Is anyone else seeing this? If so could you report it?
UPDATE:
Starting to look like reflective amplified DOS. If you are seeing this let us know.
leslie-2:~ packetalien$ dig gd21.net txt
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.3-P3 <<>> gd21.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18617
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;gd21.net. IN TXT
;; ANSWER SECTION:
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.119 ip4:211.236.180.120 ip4:211.236.180.121 ip4:211.236.180.122 ip4:211.236.180.123 ip4:211.236.180.124 ip4:211.236.180.125 ip4:211.236.180.126 ip4:211.236.180.127 ip4:211.236.180.128 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.118 ip4:211.236.180.40 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.9 ip4:211.236.180.10 ip4:211.236.180.11 ip4:211.236.180.12 ip4:211.236.180.13 ip4:211.236.180.14 ip4:211.236.180.15 ip4:211.236.180.16 ip4:211.236.180.17 ip4:211.236.180.18 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.19 ip4:211.236.180.20 ip4:211.236.180.21 ip4:211.236.180.22 ip4:211.236.180.23 ip4:211.236.180.24 ip4:211.236.180.25 ip4:211.236.180.26 ip4:211.236.180.27 ip4:211.236.180.28 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.29 ip4:211.236.180.30 ip4:211.236.180.31 ip4:211.236.180.32 ip4:211.236.180.33 ip4:211.236.180.34 ip4:211.236.180.35 ip4:211.236.180.36 ip4:211.236.180.37 ip4:211.236.180.38 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.39 ip4:211.236.180.40 ip4:211.236.180.41 ip4:211.236.180.42 ip4:211.236.180.43 ip4:211.236.180.44 ip4:211.236.180.45 ip4:211.236.180.46 ip4:211.236.180.47 ip4:211.236.180.48 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.49 ip4:211.236.180.50 ip4:211.236.180.51 ip4:211.236.180.52 ip4:211.236.180.53 ip4:211.236.180.54 ip4:211.236.180.55 ip4:211.236.180.56 ip4:211.236.180.57 ip4:211.236.180.58 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.59 ip4:211.236.180.60 ip4:211.236.180.61 ip4:211.236.180.62 ip4:211.236.180.63 ip4:211.236.180.64 ip4:211.236.180.65 ip4:211.236.180.66 ip4:211.236.180.67 ip4:211.236.180.68 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.69 ip4:211.236.180.70 ip4:211.236.180.71 ip4:211.236.180.72 ip4:211.236.180.73 ip4:211.236.180.74 ip4:211.236.180.75 ip4:211.236.180.76 ip4:211.236.180.77 ip4:211.236.180.78 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.79 ip4:211.236.180.80 ip4:211.236.180.81 ip4:211.236.180.82 ip4:211.236.180.83 ip4:211.236.180.84 ip4:211.236.180.85 ip4:211.236.180.86 ip4:211.236.180.87 ip4:211.236.180.88 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.89 ip4:211.236.180.90 ip4:211.236.180.91 ip4:211.236.180.92 ip4:211.236.180.93 ip4:211.236.180.94 ip4:211.236.180.95 ip4:211.236.180.96 ip4:211.236.180.97 ip4:211.236.180.98 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.99 ip4:211.236.180.100 ip4:211.236.180.101 ip4:211.236.180.102 ip4:211.236.180.103 ip4:211.236.180.104 ip4:211.236.180.105 ip4:211.236.180.106 ip4:211.236.180.107 ip4:211.236.180.108 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.109 ip4:211.236.180.110 ip4:211.236.180.111 ip4:211.236.180.112 ip4:211.236.180.113 ip4:211.236.180.114 ip4:211.236.180.115 ip4:211.236.180.116 ip4:211.236.180.117 ip4:211.236.180.118 ~all"
;; AUTHORITY SECTION:
gd21.net. 236 IN NS ns2.goldennet.co.kr.
gd21.net. 236 IN NS ns.goldennet.co.kr.
;; Query time: 83 msec
;; SERVER: 68.105.29.16#53(68.105.29.16)
;; WHEN: Tue Jul 24 12:31:55 2012
;; MSG SIZE rcvd: 2735
leslie-2:~ packetalien$ dig gd21.net txt | wc
35 283 3349
Richard Porter
--- ISC Handler on Duty
Comments
Of course the spoofed source was the IP being attacked.
Yin
Jul 24th 2012
1 decade ago
Scott
Jul 25th 2012
1 decade ago
sh shun stat | include XXX.XXX.218.92
Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13)
scott
Jul 25th 2012
1 decade ago
Eric
Jul 25th 2012
1 decade ago
scott
Jul 25th 2012
1 decade ago
scott
Jul 25th 2012
1 decade ago
I see that from the above logs posted that it was happening this afternoon at 12:31PM.
Eric
Jul 25th 2012
1 decade ago
Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender.
One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target.
Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating.
Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from 'info@fbi.gov' or from 'helpdesk' at my ISP ?
DNS-user
Jul 25th 2012
1 decade ago
George
Jul 25th 2012
1 decade ago
@George - Yes, the query is looking for gd21.net IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type.
Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning:
Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside
and from the config:
shun (outside) XXX.232.121.191 0.0.0.0 0 0 0
That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us.
scott
Jul 25th 2012
1 decade ago