DNS Amplification Attacks Observer: May 2013

Thursday, May 23, 2013

Big attack Costa Rica: 190.93.249.10 / 190.93.248.10

Last week I've been working on a dashboard to display attacks rather than using Twitter / Blogger as the amount of observed attacks has skyrocketed.

Last two days I've observed an attack targetting two IPs in Costa Rica. Here are some details (Last 24 hours):

Count	IP	Country	Domains
200458	190.93.249.10	Costa Rica	ripe.net (151163x), www.58wgw.com (49295x)
176447	190.93.248.10	Costa Rica	ripe.net (136108x), www.58wgw.com (40339x)

Strange about this is the fact that the domain 'www.58wgw.com' a domain I have not seen before in attacks is actually pointing to these two IPs.

It seems like a misfire as a domain with 2 A records is not exactly an exciting DNS amplification and a bit weird if it is the domain being targetted in the first place.

Attacks over the different days:

400622x 23-May-2013
139301x 22-May-2013
   12617x 21-May-2013
       878x 17-May-2013

Domains used:

430109x   ripe.net
122431x   www.58wgw.com
      878x   isc.org

I do not have my other statistics ready that I usually display in my blog. When I will I might update the post and will make my dashboard publicly available.

Info about the domain:

Website on it is written in Chineese and is about some game.. *confused*

Creation Date:   2011-11-04 08:10:44
Registered using a qq.com email.

dig any 58wgw.com @8.8.8.8 +short
seth.ns.cloudflare.com.
pam.ns.cloudflare.com.
190.93.249.10
190.93.248.10

Saturday, May 18, 2013

[FR] 88.191.237.70 - AS12322

General Information:

Attacked IP: 88.191.237.70
Country: France

Start: 2013-05-18 00:46:00
End: 2013-05-18 17:41:57
Duration: 16:55:00
Average query rate: 32 per minute

Requested DNS record: isc.org
Query count: 32930

IPrange: 88.160.0.0/11
AS Number: Paris, France
ISP: AS12322

IP has a reverse DNS value of: 88-191-237-70.rev.dedibox.fr

This IP has been seen on the following days:

17-May-2013 8896x
18-May-2013 36325x

Observed 5 attacks:

Attack 1 from 0:00 till 2:00
Attack 2 from 6:00 till 8:00
Attack 3 from 10:00 till 11:00
Attack 4 from 12:00 till 14:00
Attack 5 from 17:00 till 18:00

Details of the 5 DNS Amplification attacks:

Details of attack: 1

Requested DNS record: isc.org
Query count: 5586

Start: 2013-05-18 00:46:00
End: 2013-05-18 01:16:35
Duration: 30 minute(s)
Average query rate: 186 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 612 bytes

Amplification: 684%

Total query size: 435708 bytes / 425 kilobytes
Response size: 3418632 bytes / 3338 kilobytes
TotalBandwidth: 3854340 bytes / 3764 kilobytes

The following 2 TTL values were observed:

116 3232x
106 2354x

The following 2 query UDP source port values were observed:

27789 2354x
49940 3232x

Details of attack: 2

Requested DNS record: isc.org
Query count: 7850

Start: 2013-05-18 06:40:00
End: 2013-05-18 07:08:33
Duration: 28 minute(s)
Average query rate: 280 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 612300 bytes / 597 kilobytes
Response size: 2551250 bytes / 2491 kilobytes
TotalBandwidth: 3163550 bytes / 3089 kilobytes

The following 2 TTL values were observed:

116 5120x
106 2730x

The following 2 query UDP source port values were observed:

34250 2730x
49940 5120x

Details of attack: 3

Requested DNS record: isc.org
Query count: 2981

Start: 2013-05-18 10:17:07
End: 2013-05-18 10:21:40
Duration: 4 minute(s)
Average query rate: 745 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 232518 bytes / 227 kilobytes
Response size: 968825 bytes / 946 kilobytes
TotalBandwidth: 1201343 bytes / 1173 kilobytes

All observed queries were made with a TTL of: 116

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940Details of attack: 4

Requested DNS record: isc.org
Query count: 10572

Start: 2013-05-18 12:21:47
End: 2013-05-18 13:56:35
Duration: 1:34:00
Average query rate: 112 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 824616 bytes / 805 kilobytes
Response size: 3435900 bytes / 3355 kilobytes
TotalBandwidth: 4260516 bytes / 4160 kilobytes

All observed queries were made with a TTL of: 116

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940Details of attack: 5

Requested DNS record: isc.org
Query count: 5941

Start: 2013-05-18 17:15:52
End: 2013-05-18 17:41:57
Duration: 26 minute(s)
Average query rate: 228 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 463398 bytes / 452 kilobytes
Response size: 1930825 bytes / 1885 kilobytes
TotalBandwidth: 2394223 bytes / 2338 kilobytes

All observed queries were made with a TTL of: 116

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

[FR] 62.147.132.163 - AS12322

General Information:

Attacked IP: 62.147.132.163
Country: France

Start: 2013-05-18 00:53:27
End: 2013-05-18 00:56:35
Duration: 3 minute(s)
Average query rate: 170 per minute

Requested DNS record: isc.org
Query count: 510

IPrange: 62.147.0.0/16
AS Number: Paris, France
ISP: AS12322

IP has a reverse DNS value of: lns-bzn-47f-62-147-132-163.adsl.proxad.net

This IP was only seen today

Observed 1 attack:

Attack 1 from 0:00 till 1:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 510

Start: 2013-05-18 00:53:27
End: 2013-05-18 00:56:35
Duration: 3 minute(s)
Average query rate: 170 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 612 bytes

Amplification: 684%

Total query size: 39780 bytes / 38 kilobytes
Response size: 312120 bytes / 304 kilobytes
TotalBandwidth: 351900 bytes / 343 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

[US] 24.10.124.228 - AS33651

General Information:

Attacked IP: 24.10.124.228
Country: United States

Start: 2013-05-18 08:52:08
End: 2013-05-18 08:54:21
Duration: 2 minute(s)
Average query rate: 229 per minute

Requested DNS record: isc.org
Query count: 458

IPrange: 24.10.0.0/17
AS Number: Comcast Cable Communications, Inc.
ISP: AS33651

IP has a reverse DNS value of: c-24-10-124-228.hsd1.ca.comcast.net

This IP was only seen today

Observed 1 attack:

Attack 1 from 8:00 till 9:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 458

Start: 2013-05-18 08:52:08
End: 2013-05-18 08:54:21
Duration: 2 minute(s)
Average query rate: 229 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 35724 bytes / 34 kilobytes
Response size: 148850 bytes / 145 kilobytes
TotalBandwidth: 184574 bytes / 180 kilobytes

All observed queries were made with a TTL of: 116

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

Friday, May 17, 2013

[DE] 87.164.31.21 - AS3320

General Information:

Attacked IP: 87.164.31.21
Country: Germany

Start: 2013-05-17 16:15:47
End: 2013-05-17 16:36:35
Duration: 20 minute(s)
Average query rate: 211 per minute

Requested DNS record: isc.org
Query count: 4223

IPrange: 87.128.0.0/10
AS Number: Deutsche Telekom AG, Internet service provider
ISP: AS3320

IP has a reverse DNS value of: p57A41F15.dip0.t-ipconnect.de

This IP was only seen today

Observed 1 attack:

Attack 1 from 16:00 till 17:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 4223

Start: 2013-05-17 16:15:47
End: 2013-05-17 16:36:35
Duration: 20 minute(s)
Average query rate: 211 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 329394 bytes / 321 kilobytes
Response size: 1372475 bytes / 1340 kilobytes
TotalBandwidth: 1701869 bytes / 1661 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

The following 2 query UDP source port values were observed:

55436 3497x
49940 726x

>>Read Before Rage<<<

[GB] 86.12.60.254 - AS5089

General Information:

Attacked IP: 86.12.60.254
Country: United Kingdom

Start: 2013-05-17 16:58:25
End: 2013-05-17 17:02:42
Duration: 4 minute(s)
Average query rate: 469 per minute

Requested DNS record: isc.org
Query count: 1876

IPrange: 86.0.0.0/11
AS Number: VIRGIN-MEDIA-UK-IP-BLOCK
ISP: AS5089

IP has a reverse DNS value of: cpc22-gate10-2-0-cust253.16-2.cable.virginmedia.com

This IP was only seen today

Observed 1 attack:

Attack 1 from 16:00 till 18:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 1876

Start: 2013-05-17 16:58:25
End: 2013-05-17 17:02:42
Duration: 4 minute(s)
Average query rate: 469 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 146328 bytes / 142 kilobytes
Response size: 609700 bytes / 595 kilobytes
TotalBandwidth: 756028 bytes / 738 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

[FR] 213.44.37.253 - AS5410

General Information:

Attacked IP: 213.44.37.253
Country: France

Start: 2013-05-17 20:54:53
End: 2013-05-17 20:56:35
Duration: 1 minute(s)
Average query rate: 268 per minute

Requested DNS record: isc.org
Query count: 268

IPrange: 213.44.0.0/16
AS Number: Bouygues Telecom ISP
ISP: AS5410

IP has a reverse DNS value of: i07v-213-44-37-253.d4.club-internet.fr

This IP was only seen today

Observed 1 attack:

Attack 1 from 20:00 till 21:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 268

Start: 2013-05-17 20:54:53
End: 2013-05-17 20:56:35
Duration: 1 minute(s)
Average query rate: 268 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 612 bytes

Amplification: 684%

Total query size: 20904 bytes / 20 kilobytes
Response size: 164016 bytes / 160 kilobytes
TotalBandwidth: 184920 bytes / 180 kilobytes

All observed queries were made with a TTL of: 116

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

[US] 178.18.19.140 - AS36167

General Information:

Attacked IP: 178.18.19.140
Country: United States

Start: 2013-05-17 02:20:05
End: 2013-05-17 21:26:23
Duration: 19:6:00
Average query rate: 0.0357766143106

Requested DNS record: directedat.asia
Query count: 41

IPrange: 178.18.16.0/22
AS Number: US
ISP: AS36167

This IP has been seen on the following days:

15-May-2013 4x
16-May-2013 6x
17-May-2013 41x

Observed 1 attack:

Attack 1 from 2:00 till 22:00

Details of the DNS Amplification attack:

Requested DNS record: directedat.asia
Query count: 41

Start: 2013-05-17 02:20:05
End: 2013-05-17 21:26:23
Duration: 19:6:00
Average query rate: 0.0357766143106

Following DNS query ID's observed:

0x20c5 4x
0x81bf 28x
0x9e7d 2x
0x267d 7x

Average query size: 86 bytes
Average response size: 203 bytes

Amplification: 136%

Total query size: 3526 bytes / 3 kilobytes
Response size: 8326 bytes / 8 kilobytes
TotalBandwidth: 11852 bytes / 11 kilobytes

All observed queries were made with a TTL of: 243

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

Unique query UDP source ports observed: 41

>>Read Before Rage<<<

[US] 168.61.144.13 - AS8075

General Information:

Attacked IP: 168.61.144.13
Country: United States

Start: 2013-05-17 19:43:27
End: 2013-05-17 20:52:19
Duration: 1:8:00
Average query rate: 94 per minute

Requested DNS record: isc.org
Query count: 6440

IPrange: 168.61.0.0/16
AS Number: Exchange Point Networks
ISP: AS8075

This IP was only seen today

Observed 1 attack:

Attack 1 from 19:00 till 21:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 6440

Start: 2013-05-17 19:43:27
End: 2013-05-17 20:52:19
Duration: 1:8:00
Average query rate: 94 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 612 bytes

Amplification: 684%

Total query size: 502320 bytes / 490 kilobytes
Response size: 3941280 bytes / 3848 kilobytes
TotalBandwidth: 4443600 bytes / 4339 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

The following 2 query UDP source port values were observed:

35941 4129x
49992 2311x

>>Read Before Rage<<<

[US] 70.127.17.254 - AS13343

General Information:

Attacked IP: 70.127.17.254
Country: United States

Start: 2013-05-17 17:14:15
End: 2013-05-17 17:15:49
Duration: 1 minute(s)
Average query rate: 503 per minute

Requested DNS record: isc.org
Query count: 503

IPrange: 70.126.0.0/15
AS Number: RR-Route
ISP: AS13343

IP has a reverse DNS value of: 70-127-17-254.res.bhn.net

This IP was only seen today

Observed 1 attack:

Attack 1 from 17:00 till 18:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 503

Start: 2013-05-17 17:14:15
End: 2013-05-17 17:15:49
Duration: 1 minute(s)
Average query rate: 503 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 165%

Total query size: 39234 bytes / 38 kilobytes
Response size: 104287 bytes / 101 kilobytes
TotalBandwidth: 143521 bytes / 140 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

[US] 178.18.19.140 - AS36167

General Information:

Attacked IP: 178.18.19.140
Country: United States

Start: 2013-05-17 02:20:05
End: 2013-05-17 19:23:18
Duration: 17:3:00
Average query rate: 0.030303030303

Requested DNS record: directedat.asia
Query count: 31

IPrange: 178.18.16.0/22
AS Number: US
ISP: AS36167

This IP has been seen on the following days:

15-May-2013 4x
16-May-2013 6x
17-May-2013 32x

Observed 1 attack:

Attack 1 from 2:00 till 20:00

Details of the DNS Amplification attack:

Requested DNS record: directedat.asia
Query count: 31

Start: 2013-05-17 02:20:05
End: 2013-05-17 19:23:18
Duration: 17:3:00
Average query rate: 0.030303030303

Following DNS query ID's observed:

0x20c5 3x
0x81bf 28x

Average query size: 86 bytes
Average response size: 202 bytes

Amplification: 135%

Total query size: 2666 bytes / 2 kilobytes
Response size: 6266 bytes / 6 kilobytes
TotalBandwidth: 8932 bytes / 8 kilobytes

All observed queries were made with a TTL of: 243

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

Unique query UDP source ports observed: 31

>>Read Before Rage<<<

[FR] 83.205.219.233 - AS3215

General Information:

Attacked IP: 83.205.219.233
Country: France

Start: 2013-05-17 13:35:31
End: 2013-05-17 13:36:35
Duration: 1 minute(s)
Average query rate: 705 per minute

Requested DNS record: isc.org
Query count: 705

IPrange: 83.205.0.0/16
AS Number: Dummy description for 83.205.0.0/16AS3215
ISP: AS3215

IP has a reverse DNS value of: ABayonne-651-1-379-233.w83-205.abo.wanadoo.fr

This IP was only seen today

Observed 1 attack:

Attack 1 from 13:00 till 14:00

Details of the DNS Amplification attack:

Requested DNS record: isc.org
Query count: 705

Start: 2013-05-17 13:35:31
End: 2013-05-17 13:36:35
Duration: 1 minute(s)
Average query rate: 705 per minute

All request were made with the DNS id: 0x1d42 / 7490

Average query size: 78 bytes
Average response size: 325 bytes

Amplification: 316%

Total query size: 54990 bytes / 53 kilobytes
Response size: 229125 bytes / 223 kilobytes
TotalBandwidth: 284115 bytes / 277 kilobytes

All observed queries were made with a TTL of: 106

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

All request were made with a UDP source port of: 49940

>>Read Before Rage<<<

Tuesday, May 14, 2013

Domain: Directedat.asia

Lately I've been seeing some traffic for this directedat.asia domain. Normally it is not reported as an attack as it tends to stay under my 'attack' threshold, which is a x amount of request per y minutes.

What is in a domain name? directed at asia -funny.
The IPs observed requesting / being attacked by this domain are mainly located in the Netherlands and a few have unconfigured web servers running.

Domain info:

Domain ID:D2608645-ASIA
Domain Name:DIRECTEDAT.ASIA
Domain Create Date:12-Apr-2013 03:21:04 UTC
Domain Expiration Date:12-Apr-2014 03:21:04 UTC
Domain Last Updated Date:03-May-2013 12:13:57 UTC
Last Transferred Date:
Created by:Internet.bs Corp. R176-ASIA (814)
Last Updated by Registrar:Internet.bs Corp. R176-ASIA (814)
Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)

The times that I did observe this domain and blogged about it was most likely manually. What I noticed to be odd was the low amplification my scripts calculate and I wonder why..

When looking at recent activity (http://dnsamplificationattacks.blogspot.nl/2013/05/nl-19216213762-as16265.html):

---------------------------------------------------------------------
Requested DNS record: directedat.asia
Query count: 9

Start: 2013-05-08 20:11:16
End: 2013-05-08 20:59:23
Duration: 48 minute(s)
Average query rate: 0.19 per minute

Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.

All request were made with the DNS id: 0xca0c

Average query size: 86 bytes
Average response size: 86 bytes

Amplification: 0%

--------------------------------------------------------------------------------

You can see a amplification of 0%. Not really effective now is it? So what does this domain name return when requested? Well as it runs out. A lot more than a 0% amplification. Check this dig query output on Pastebin: http://pastebin.com/2vdmzTGM

Wow that response contains about 260 values! Then why does my script only calculates a 0% amplification?

My server does not support TCP this port is not permitted and it is required as you can see:

dig any directedat.asia +edns=0
;; Truncated, retrying in TCP mode.

That is perhaps why my server teruns "Server failure" all the time. But in the pcaps I do see it receives 'some' values.

What I see:

--------------------------------------------------------------------------------

1) I receive a spoofed DNS query for any directedat.asia from 192.162.137.62. (attacked ip)
src dst proto len desciption
192.162.137.62 192.168.10.37 DNS 86 Standard query ANY directedat.asia

2) I perform a DNS query to g.root-servers.net. for directedat.asia.
192.168.10.37 192.112.36.4 DNS 70 Standard query NS <Root>

3) Receive a response from the root server giving me the name servers for .asia:
192.112.36.4 192.168.10.37 DNS 753 Standard query response
Response records:
a0.asia.afilias-nst.info: type A, class IN, addr 199.19.55.1
a2.asia.afilias-nst.info: type A, class IN, addr 199.249.114.1
b0.asia.afilias-nst.asia: type A, class IN, addr 199.254.28.1
b2.asia.afilias-nst.org: type A, class IN, addr 199.249.122.1
c0.asia.afilias-nst.info: type A, class IN, addr 199.254.29.1
d0.asia.afilias-nst.asia: type A, class IN, addr 199.254.30.1
a0.asia.afilias-nst.info: type AAAA, class IN, addr 2001:500:d::1
a2.asia.afilias-nst.info: type AAAA, class IN, addr 2001:500:42::1
b0.asia.afilias-nst.asia: type AAAA, class IN, addr 2001:500:16::1
b2.asia.afilias-nst.org: type AAAA, class IN, addr 2001:500:4a::1
c0.asia.afilias-nst.info: type AAAA, class IN, addr 2001:500:17::1
d0.asia.afilias-nst.asia: type AAAA, class IN, addr 2001:500:18::1

4) I query d0.asia.afilias-nst.asia for any directedat.asia
192.168.10.37 199.254.30.1 DNS 86 Standard query ANY directedat.asia

5) Responds with authoritive name servers
199.254.30.1 192.168.10.37 DNS 624 Standard query response 9
Response Records:
directedat.asia: type NS, class IN, ns ns1.nitroushost.com
directedat.asia: type NS, class IN, ns ns2.nitroushost.com

6) I query f.root-servers.net for A/AAA ns2.nitroushost.com
192.168.10.37 192.5.5.241 DNS 90 Standard query A ns2.nitroushost.com
192.168.10.37 192.5.5.241 DNS 90 Standard query AAAA ns2.nitroushost.com
192.168.10.37 192.5.5.241 DNS 90 Standard query A ns1.nitroushost.com
192.168.10.37 192.5.5.241 DNS 90 Standard query AAAA ns1.nitroushost.com

7) Received response:
4 times the same.
192.5.5.241 192.168.10.37 DNS 785 Standard query response
a.gtld-servers.net: type A, class IN, addr 192.5.6.30
b.gtld-servers.net: type A, class IN, addr 192.33.14.30
c.gtld-servers.net: type A, class IN, addr 192.26.92.30
d.gtld-servers.net: type A, class IN, addr 192.31.80.30
e.gtld-servers.net: type A, class IN, addr 192.12.94.30
f.gtld-servers.net: type A, class IN, addr 192.35.51.30
g.gtld-servers.net: type A, class IN, addr 192.42.93.30
h.gtld-servers.net: type A, class IN, addr 192.54.112.30
i.gtld-servers.net: type A, class IN, addr 192.43.172.30
j.gtld-servers.net: type A, class IN, addr 192.48.79.30
k.gtld-servers.net: type A, class IN, addr 192.52.178.30
l.gtld-servers.net: type A, class IN, addr 192.41.162.30
m.gtld-servers.net: type A, class IN, addr 192.55.83.30
a.gtld-servers.net: type AAAA, class IN, addr 2001:503:a83e::2:30
b.gtld-servers.net: type AAAA, class IN, addr 2001:503:231d::2:30

8) I query h.gtld-servers.net for ns2 and ns1 .nitroushost.com in A/AAAA:
192.168.10.37 192.54.112.30 DNS 90 Standard query A ns2.nitroushost.com
192.168.10.37 192.54.112.30 DNS 90 Standard query AAAA ns1.nitroushost.com
192.168.10.37 192.54.112.30 DNS 90 Standard query AAAA ns2.nitroushost.com
192.168.10.37 192.54.112.30 DNS 90 Standard query A ns1.nitroushost.com

9) Receive response from h.gtld-servers.net:
192.54.112.30 192.168.10.37 DNS 713 Standard query response
Received Records:
eva.ns.cloudflare.com: type A, class IN, addr 173.245.58.114
eva.ns.cloudflare.com: type AAAA, class IN, addr 2400:cb00:2049:1::adf5:3a72
tim.ns.cloudflare.com: type A, class IN, addr 173.245.59.145
tim.ns.cloudflare.com: type AAAA, class IN, addr 2400:cb00:2049:1::adf5:3b91

10) I query tim.ns.cloudflare.com for ns1 ns2 .nitroushost.com in A / AAAA
192.168.10.37 173.245.59.145 DNS 90 Standard query A ns2.nitroushost.com
192.168.10.37 173.245.59.145 DNS 90 Standard query AAAA ns1.nitroushost.com
192.168.10.37 173.245.59.145 DNS 90 Standard query AAAA ns2.nitroushost.com
192.168.10.37 173.245.59.145 DNS 90 Standard query A ns1.nitroushost.com

11) Responses (combined):
173.245.59.145 192.168.10.37 DNS 95 Standard query response A 192.95.50.70
173.245.59.145 192.168.10.37 DNS 95 Standard query response A 192.95.50.69

12) query ns2.nitroushost.com for directedat.asia in any:
192.168.10.37 192.95.50.70 DNS 86 Standard query ANY directedat.asia

--- No response ---

13) query ns1.nitroushost.com for directed.asia in any:
192.168.10.37 192.95.50.69 DNS 86 Standard query ANY directedat.asia

--- No response ---

- A few more attempts at both name servers but no luck.
My server responds with:

14 ) Server failure sent to spoofed IP:
src dst proto len desciption
192.168.10.37 192.162.137.62 DNS 86 Standard query response, Server failure

-------------------------------------------------------------------

This was an interesting example of DNS recursion.

After a few requests from the spoofed IP I observe a response from the name server:

Request and response ns1.nitroushost.com:
192.168.10.37 192.95.50.69 DNS 75 Standard query ANY directedat.asia
192.95.50.69 192.168.10.37 DNS 554 Standard query response SOA ns1.nitroushost.com NS ns1.nitroushost.com NS ns2.nitroushost.com A 204.11.52.232 A 204.11.52.233 A 204.11.52.234 A 204.11.52.235 A 204.11.52.236 A 204.11.52.237 A 204.11.52.238 A 204.11.52.239 A 204.11.52.240 A 204.11.52.241 A 204.11.52.242 A 204.11.52.243 A 204.11.52.244 A 204.11.52.245 A 204.11.52.246 A 204.11.52.247 A 204.11.52.248 A 204.11.52.249 A 204.11.52.250 A 204.11.52.251 A 204.11.52.252 A 204.11.52.253 A 204.11.52.254 A 204.11.52.255

The response is too big for one packet and my servers attempts but fails to fall over to TCP.

This results my server to respond for this domain with 'server failure'.
I think TCP 53 is blocked for all incoming packets including '--related'.

I will look in to this to see if I can participate in these attacks to see its amplification. Especially if the spoofed client IP will participate in a TCP handshake or not.

UPDATE:

Today I saw another 'attack' with this see HERE and noticed an amplification of 133%. Interesting.

----------------------------------

Requested DNS record: directedat.asia
Query count: 19

Start: 2013-05-14 09:46:41
End: 2013-05-14 19:36:31
Duration: 9:49:00
Average query rate: 0.0322580645161

All request were made with the DNS id: 0x8f1c / 36636

Average query size: 86 bytes
Average response size: 200 bytes

Amplification: 133%

----------------------------------

Looking at one of the query's in my pcaps, I see that my server retuns only the SOA and NS records for the domain, the old name server records for that matter.

New name server details:

#dig any directedat.asia @8.8.8.8

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> any directedat.asia @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44011
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;directedat.asia. IN ANY

;; ANSWER SECTION:
directedat.asia. 4510 IN SOA ns1.voidhost.net. support.voidhost.net. 2013051406 86400 7200 3600000 86400
directedat.asia. 4510 IN NS ns1.voidhost.net.
directedat.asia. 4510 IN NS ns2.voidhost.net.

;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 14 21:00:45 2013
;; MSG SIZE rcvd: 125

No more 200+ response?

End of update

-------------------------------------------------------------------
Attacks and its origin
-------------------------------------------------------------------

It seems it is the same host that is performing these 'attacks'.. I concluded this by looking at the TTL values of all the IPs that requested directedat.asia.

----------------------------------------------------------------------

01-May-2013_134.19.181.30
79x 247
01-May-2013_50.7.190.60
28x 247
04-May-2013_134.19.181.30
3x 245
179 247
1x 55
1x 57
05-May-2013_134.19.181.30
8x 245
81x 247
08-May-2013_192.162.137.62
10x 245
09-May-2013_178.18.17.16
2x 245
09-May-2013_192.162.137.62
4x 245
10-May-2013_178.18.17.16
5x 245
11-May-2013_188.95.48.25
4x 245
25-Apr-2013_134.19.181.30
4x 247
1x 55
1x 57
25-Apr-2013_89.248.160.192
15x 247
1x 56
26-Apr-2013_134.19.181.28
2x 245
27x 247
27-Apr-2013_134.19.181.28
1x 247

----------------------------------------------------------------------

I normally use the TTL value to determine if it is one host performing this attack. As a single stable TTL cannot realistically be spoofed.

The TTL of 247 seems the most common and is probably the main source of the attacks. What the other hosts are.. perhaps a bot or two? Who knows!

UPDATE: Seeing some activity for nukes.directedat.asia 511 A records in the response. All records are in the 172.33.44 and 172.33.43 range. The response exceeds the 1400 size limit for UDP and tries to fallback to TCP. But the attacked client obviously doesn't do this.

UPDATE:
MyDnsScan.Us is related to DirectedAt.Asia see this post: http://dnsamplificationattacks.blogspot.nl/2013/06/domain-mydnsscanus.html

Update 25/06/2013

Dongs.directedat.asia same name servers also 511 return records.

Update 11/07/2013

d.directedat.asia is being used. 256 A records in 172.33.43.x range. ~4115 response size.

UPdate 14/070/2013

f.directedat.asia is using 119 A records in the 172.33.43 range. ~1939 response size.

[NL] 188.95.48.25 - AS57172

General Information:

Attacked IP: 188.95.48.25
Country: Netherlands

Start: 2013-05-14 09:46:41
End: 2013-05-14 19:36:31
Duration: 9:49:00
Average query rate: 0.0322580645161

Requested DNS record: directedat.asia
Query count: 19

IPrange: 188.95.48.0/21
AS Number: Global Layer network
ISP: AS57172

IP has a reverse DNS value of: minerva.netnibble.net

This IP has been seen on the following days:

11-May-2013 11x
14-May-2013 20x

Observed 1 attack:

Attack 1 from 9:00 till 20:00

Details of the DNS Amplification attack:

Requested DNS record: directedat.asia
Query count: 19

Start: 2013-05-14 09:46:41
End: 2013-05-14 19:36:31
Duration: 9:49:00
Average query rate: 0.0322580645161

All request were made with the DNS id: 0x8f1c / 36636

Average query size: 86 bytes
Average response size: 200 bytes

Amplification: 133%

Total query size: 1634 bytes / 1 kilobytes
Response size: 3812 bytes / 3 kilobytes
TotalBandwidth: 5446 bytes / 5 kilobytes

The following 2 TTL values were observed:

244 1x
243 18x

Unique query UDP source ports observed: 19

>>Read Before Rage<<<

Wednesday, May 8, 2013

[NL] 192.162.137.62 - AS16265

General Information:

Attacked IP: 192.162.137.62
Country: Netherlands

Start: 2013-05-08 20:11:16
End: 2013-05-08 21:06:49
Duration: 55 minute(s)
Average query rate: 0.18 per minute

Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.

Requested DNS record: directedat.asia
Query count: 10

IPrange: 192.162.136.0/23
AS Number: Infinite Technologies
ISP: AS16265

IP has a reverse DNS value of: pioneer.ystc.co.il

This IP has been seen on the following days:

08-May-2013 10x
09-May-2013 4x

Observed 1 attack:

Attack 1 from 20:00 till 21:00

Details of the DNS Amplification attack:

Requested DNS record: directedat.asia
Query count: 9

Average query size: 86 bytes
Average response size: 86 bytes

Amplification: 0%

Total query size: 774 bytes / 0 kilobytes
Response size: 774 bytes / 0 kilobytes
TotalBandwidth: 1548 bytes / 1 kilobytes

All observed queries were made with a TTL of: 245

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

The following 9 query UDP source port values were observed:

51291 1x
63636 1x
56018 1x
27393 1x
57501 1x
29907 1x
14162 1x
32780 1x
34213 1x

>>Read Before Rage<<<

[US] 66.102.253.120 - AS4134

General Information:

Attacked IP: 66.102.253.120
Country: United States

Start: 2013-05-06 20:19:14
End: 2013-05-06 20:22:13
Duration: 2 minute(s)
Average query rate: 297 per minute

Requested DNS record: ripe.net
Query count: 594

IPrange: 66.102.240.0/20
AS Number: China Telecom Americas
ISP: AS4134

This IP has been seen on the following days:

06-May-2013 594x
07-May-2013 1746x

Observed 1 attack:

Attack 1 from 20:00 till 21:00

Details of the DNS Amplification attack:

Requested DNS record: ripe.net
Query count: 594

Start: 2013-05-06 20:19:14
End: 2013-05-06 20:22:13
Duration: 2 minute(s)
Average query rate: 297 per minute

Amount of different query ID's observed: 215

Average query size: 91 bytes
Average response size: 811 bytes

Amplification: 791%

Total query size: 54054 bytes / 52 kilobytes
Response size: 481734 bytes / 470 kilobytes
TotalBandwidth: 535788 bytes / 523 kilobytes

Unique TTL values observed: 11
11 hosts or spoofed TTL values.

Unique query UDP source ports observed: 589

>>Read Before Rage<<<

Wednesday, May 1, 2013

[NL] 50.7.190.60 - ATRATOAtratoIPNetworks

General Information:

Attacked IP: 50.7.190.60
Country: Netherlands

Attack started: 2013-05-01 03:16:46
Attack stopped: 2013-05-01 04:11:49
Duration: 55 minute(s)
Query Rate: 0.51 per minute

Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.

IP is in the range: 50.7.188.0/22 which is part of: ATRATOAtratoIPNetworks
with AS number: AS5580 which operates from: NL

Details of the DNS Amplification attack:

Requested DNS record: directedat.asia
Query count: 28

Following DNS query ID's observed:

0x7e8d 14
0x8d3d 14

Query size in bytes: 2408
Response size in bytes: 2408
TotalBandwidth in bytes: 4816

Amplification: 0%

All observed queries were made with a TTL of: 247

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

Unique query UDP source ports observed: 28

>>Read Before Rage<<<

[NL] 134.19.181.30 - GLOBALLAYERGlobalLayerB.V.

General Information:

Attacked IP: 134.19.181.30
Country: Netherlands

Attack started: 2013-05-01 04:30:37
Attack stopped: 2013-05-01 16:27:38
Duration: 11:57
Query Rate: 0.1059972106

IP is in the range: 134.19.176.0/20 which is part of: GLOBALLAYERGlobalLayerB.V.
with AS number: AS57172 which operates from: NL

Details of the DNS Amplification attack:

The following hostnames were observed:

isc.org 4
directedat.asia 72

Query count: 76

Following DNS query ID's observed:

0xbc31 12
0x350f 12
0x7737 12
0xfc55 2
0x4a17 2
0x13fb 12
0x5623 12
0x26a3 12

Query size in bytes: 6504
Response size in bytes: 15448
TotalBandwidth in bytes: 21952

Amplification: 137%

All observed queries were made with a TTL of: 247

Because of this I think the attack was most likely performed from a single host rather than by a botnet.

Unique query UDP source ports observed: 16

>>Read Before Rage<<<