Attacked IP: 192.162.137.62
Country: Netherlands
Start: 2013-05-08 20:11:16
End: 2013-05-08 21:06:49
Duration: 55 minute(s)
Average query rate: 0.18 per minute
Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.
Requested DNS record: directedat.asia
Query count: 10
IPrange: 192.162.136.0/23
AS Number: Infinite Technologies
ISP: AS16265
IP has a reverse DNS value of: pioneer.ystc.co.il
This IP has been seen on the following days:
- 08-May-2013 10x
- 09-May-2013 4x
Observed 1 attack:
- Attack 1 from 20:00 till 21:00
Requested DNS record: directedat.asia
Query count: 9
Start: 2013-05-08 20:11:16
End: 2013-05-08 20:59:23
Duration: 48 minute(s)
Average query rate: 0.19 per minute
Detected a query rate below 1 per minute. Either a low query attack or there was a long break between bursts See chart for more details.
All request were made with the DNS id: 0xca0c
Average query size: 86 bytes
Average response size: 86 bytes
Amplification: 0%
Total query size: 774 bytes / 0 kilobytes
Response size: 774 bytes / 0 kilobytes
TotalBandwidth: 1548 bytes / 1 kilobytes
All observed queries were made with a TTL of: 245
Because of this I think the attack was most likely performed from a single host rather than by a botnet.
The following 9 query UDP source port values were observed:
- 51291 1x
- 63636 1x
- 56018 1x
- 27393 1x
- 57501 1x
- 29907 1x
- 14162 1x
- 32780 1x
- 34213 1x
It is from a BOT. They switched DNS nameservers and they now host 256 A records.
ReplyDeletedig @8.8.8.8 directedat.asia +short|wc -l
256
Hi Luke!
DeleteWould you have more information on this bot? a sample perhaps.
The following post describing what I've seen / know of this domain has been in my drafts for a few days already. Might be an interesting read.
http://dnsamplificationattacks.blogspot.com/2013/05/domain-directedatasia.html