Wednesday, June 26, 2013

Ecatel a big source of *.DirectedAt.Asia

Often I see very little traffic on my DNS server. The advantage of this is that it is a lot easier to spot 'discovery queries'. With these queries I mean that  booters or stressers are looking for Open DNS servers to abuse.

A Project of a security researcher that does this for good is the

An example of a booter is the person running the different .asia and .us attacks.
Such as :
-  MyDnsScan.Us
-  Nukes / dongs.DirectedAt.Asia
-  Dd0s.Asia

The person responsible for these domains has been exposed in the following blog post: Dns Amplification Attacks, Booter services and who's behind them

Around the same time this blog was posted I was digging around to find out when I first started seeing these .Asia domains and if I could find a discovery query.

And I did!

The first .asia activity I observed on one of my nodes was on April 25th 2013.

25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client ( query: IN ANY +E (w.x.y.z)

Looking at this IP a bit more I notieced one previous request:

25-Apr-2013 12:xx client (.): query: . IN ANY +E (w.x.y.z)

This IP is from the Dutch hosting provider Ecatel and this is not the only IP from them either. Looking at all the unique IPs and their AS number that performed .asia requests you see a clear pattern.

Count IP                          ISP
36 AS5580 Atrato IP Networks
5 AS34568 ConnectingBytes GmbH
9 AS33387 DataShack, LC
8 AS33387 DataShack, LC
3 AS8373 Deutsche Bank AG
23 AS29073 Ecatel Network   
15 AS29073 Ecatel Network   
11 AS29073 Ecatel Network   
7 AS29073 Ecatel Network   
6 AS29073 Ecatel Network   
5 AS29073 Ecatel Network   
4 AS29073 Ecatel Network   
4 AS29073 Ecatel Network   
3 AS29073 Ecatel Network   
2 AS29073 Ecatel Network   
2 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
1 AS29073 Ecatel Network   
56 AS18779 EGIHosting  
36 AS18779 EGIHosting  
7 AS18779 EGIHosting  
1 AS18779 EGIHosting  
1 AS47195 Gameforge Productions GmbH
81 AS57172 Global Layer B.V.
44 AS57172 Global Layer B.V.
28 AS57172 Global Layer B.V.
51 AS24940 Hetzner Online AG
1 AS42910 Hosting Internet Hizmetleri Sanayi ve
2 AS8972 intergenia AG
14 AS16265 LeaseWeb B.V.
3 AS47869 Netrouting Data Facilities
1 AS47869 Netrouting Data Facilities
12 AS35662 Redstation Limited
4 AS35662 Redstation Limited
1 AS35662 Redstation Limited
1 AS50673 Serverius Holding B.V.
2 AS46664 VolumeDrive  
1 AS46664 VolumeDrive  
1 AS46664 VolumeDrive  
50 AS49981 WorldStream  

Ecatel is a know 'bad' hoster as described by

Top 10 Bad Hosts 2013 Q1

HE Rank HE IndexAS NumberNameCountry
1 152.38 AS29073 Ecatel Network NL NETHERLANDS
2 149.22 AS58001 Ideal Solution Ltd RU RUSSIAN FEDERATION
3 146.69 AS6697 Beltelecom BY BELARUS
4 141.69 AS29182 ISPsystem RU RUSSIAN FEDERATION
5 136.65 AS16276 OVH Systems FR FRANCE
6 134.49 AS24940 Hetzner Online AG DE GERMANY
7 133.96 AS40034 Confluence Networks Inc VG VG VIRGIN ISLANDS, BRITISH
8 133.83 AS197774 Smovskaya Valentina Ivanovna UA UKRAINE
9 132.18 AS11042 Landis Holdings Inc US UNITED STATES

Saturday, June 22, 2013


The domain name made me think of the DirectedAt.Asia.

After a quick comparison of the whois data, I see they have matching Registrars. ( Corp) Perhaps its a lead.

A definite link can be made between the two domains when looking at the 'Name Server:' details in the whois data of MyDnsScan.Us, as it contains records.

The asia domain has whois guard but the MyDnsScan one has some contact details.

--- Directed at asia ---
    Domain ID:D2608645-ASIA
    Domain Create Date:12-Apr-2013 03:21:04 UTC
    Domain Expiration Date:12-Apr-2014 03:21:04 UTC
    Domain Last Updated Date:11-Jun-2013 20:50:05 UTC
    Last Transferred Date:
    Created Corp. R176-ASIA (814)
    Last Updated by Registrar:ASIA Registry R6-ASIA (9996)
    Sponsoring Corp. R176-ASIA (814)
    Registrant ID:INTE9l5othfpmebj
    Registrant Name:
    Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Registrant Address2: Aptds. 0850-   00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15Registrant Phone:+507.65995877


--- My DNS Scan US ---

    Domain Name:    MYDNSSCAN.US
    Domain ID:      D40566976-US
    Sponsoring Registrar:    INTERNET.BS CORP.
    Sponsoring Registrar IANA ID:                814
    Registrar URL (registration services):
    Domain Status:                               clientTransferProhibited
    Registrant ID:                               INTESKAXRHT1B2G3
    Registrant Name:                             Herman Singh
    Registrant Address1:                         9049 180th St
    Registrant City:                             Jamaica
    Registrant Postal Code:                      11432
    Registrant Country:                          United States
    Registrant Country Code:                     US
    Registrant Phone Number:                     +1.5267675
    Registrant Email:                  
    name Server:   NS-UK.TOPDNS.COM
    Name Server:   NS-USA.TOPDNS.COM
    Name Server:   NS-CANADA.TOPDNS.COM
    Name Server:   NS2.MYDNSSCAN.US
    Name Server:   NS1.MYDNSSCAN.US
    Name Server:   NS3.MYDNSSCAN.US
    Name Server:   NS4.MYDNSSCAN.US
    Name Server:   NS1.DIRECTEDAT.ASIA
    Name Server:   NS2.DIRECTEDAT.ASIA
    Created by Registrar:     INTERNET.BS CORP.
    Last Updated by Registrar:  INTERNET.BS CORP.
    Domain Registration Date:   Thu May 23 20:58:15 GMT 2013
    Domain Expiration Date:     Thu May 22 23:59:59 GMT 2014
    Domain Last Updated Date:   Fri Jun 21 12:23:35 GMT 2013


Since June 7th I've seen a few different IPs but all very very low amounds, same as that will do about only one a hour.

At the moment is using the following two name servers: 14400 IN NS 14400 IN NS

UPDATE: 23/06/2013

Just seen requests for this domain is registered at the same registrar and has the same ip range in its response. Also the name server IPs show similarities.

<snip> 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A

Whois info:

    Domain ID:D2709804-ASIA
    Domain Name:DD0S.ASIA
    Domain Create Date:23-Jun-2013 01:38:11 UTC
    Domain Expiration Date:23-Jun-2014 01:38:11 UTC
    Domain Last Updated Date:23-Jun-2013 01:51:33 UTC
    Last Transferred Date:
    Created Corp. R176-ASIA (814)
    Last Updated by Corp. R176-ASIA (814)
    Sponsoring Corp. R176-ASIA (814)
    Registrant ID:INTEfa270xohhrs2
    Registrant Name:Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Registrant Address2:Aptds. 0850-00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:
    Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15
    Registrant Phone:+507.65995877

Name servers:

The domains DirectedAt.Asia and Dd0s.Asia are using the same Name Server IPs: 3600 IN A 3600 IN A 53633 IN A 53633 IN A

UPDATE 26/06/2013

Just seen activity for Response contains 244 Ips in the range. Same name servers as the above mentioned servers.

    Date Registered: 2013-6-26
    Expiry Date: 2014-6-26
    Registrant    Fundacion Private Whois    
    Domain Administrator    Email:  
    Aptds. 0850-00056    
    Zona 15 Panama    Panama    Tel: +507.65995877

    Registrar: Corp.

Name servers: 78501 IN A 78501 IN A

Update 28/06/2013

One new day two new domains. This time it is and and I have enough reason to beleave this is the same guy as above DirectedAt.Asia. 

Whois details ScanDns.Tk:

    Domain name:      SCANDNS.TK
    Organisation:      BV Dot TK      Dot TK 
    administrator      P.O. Box 11774      1001 GT  Amsterdam      Netherlands      
    Phone: +31 20 5315725      
    Fax: +31 20 5315721      
    E-mail: abuse: 
    copyright infringement: 


1350 A records in the ranges 1. - 223. 2181 IN NS 2181 IN NS 2181 IN NS 2181 IN NS


Whois details
Status: connect
Changed: 2013-06-27T22:37:52+02:00

Type: ROLE
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Address: Tempelhofer Damm 140
PostalCode: 12099
City: Berlin
CountryCode: DE
Phone: +49.180.3730000
Phone: +49.30.66400137
Fax: +49.30.66400138
Remarks: role account for Hostmaster of the Day
Changed: 2009-01-07T16:28:43+01:00

501 A records in the 178.100 range.

Name servers: 20837 IN NS 20837 IN NS 20837 IN NS 20837 IN NS 20837 IN NS

Update 07/07/2013

New domain and new sub-domain: returns 511 records in the and range.

-------------- returns 511 A records in the and range.

Seen the domain only once. That same source IP also once requested Nukes.DirectedAt.Asia on the 25th of June.

Name servers: 86400 IN NS 86400 IN NS 86400 IN A 86400 IN A

SOA: 77002 IN SOA (
2053191001 ; serial
86400      ; refresh (1 day)
7200       ; retry (2 hours)
3600000    ; expire (5 weeks 6 days 16 hours)
86400      ; minimum (1 day)



    Technical Contact
        Fundacion Private Whois
        Domain Administrator
        Aptds. 0850-00056
        Zona 15 Panama
        Tel: +507.65995877

    Registrar: Corp.


Sunday, June 2, 2013

Statistics May 2013

From this month on I will try to publish a monthly post containing some statistics of what I have been observing with my little project.

Starting this month I have seen a large increase in traffic, from a couple of IPs a day to hundreds. Because of this I stopped Tweeting and automatically blogging about it. I mean, who is going to read 300 blog post a day really?

See the increase in requests per day in the graph below:

The plan is to start this month on a public status page that will contain statistics and a bunch of reports on attacks I'm seeing. All automated and shiny!


Total queries this month: 4.201.970

Most popular domain: with 2.929.013 requests.

4606 unique source IPs, 2270 observed more than 100 times.

Top 25 attacks in May:


IPs per country:

Requests per country:

This gives a pretty good view of what I have been looking at on my dashboard.

Coming up next:

Details on a few characteristics, snort rules to detect attacks and development on the dashboard!