After a quick comparison of the whois data, I see they have matching Registrars. (Internet.bs Corp) Perhaps its a lead.
A definite link can be made between the two domains when looking at the 'Name Server:' details in the whois data of MyDnsScan.Us, as it contains directedat.asia records.
The asia domain has whois guard but the MyDnsScan one has some contact details.
--- Directed at asia ---
Domain ID:D2608645-ASIA
Domain Name:DIRECTEDAT.ASIA
Domain Create Date:12-Apr-2013 03:21:04 UTC
Domain Expiration Date:12-Apr-2014 03:21:04 UTC
Domain Last Updated Date:11-Jun-2013 20:50:05 UTC
Last Transferred Date:
Created by:Internet.bs Corp. R176-ASIA (814)
Last Updated by Registrar:ASIA Registry R6-ASIA (9996)
Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
Domain Status:CLIENT TRANSFER PROHIBITED
Registrant ID:INTE9l5othfpmebj
Registrant Name:
Domain Administrator
Registrant Organization:Fundacion Private Whois
Registrant Address:
Attn: directedat.asia
Registrant Address2: Aptds. 0850- 00056
Registrant Address3:
Registrant City:Panama
Registrant State/Province:Registrant Country/Economy:PA
Registrant Postal Code:Zona 15Registrant Phone:+507.65995877
source: http://whois.domaintools.com/directedat.asia
--- My DNS Scan US ---
Domain Name: MYDNSSCAN.US
Domain ID: D40566976-US
Sponsoring Registrar: INTERNET.BS CORP.
Sponsoring Registrar IANA ID: 814
Registrar URL (registration services): http://www.internet.bs
Domain Status: clientTransferProhibited
Registrant ID: INTESKAXRHT1B2G3
Registrant Name: Herman Singh
Registrant Address1: 9049 180th St
Registrant City: Jamaica
Registrant Postal Code: 11432
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5267675
Registrant Email: hermansinghs@gmail.com
<snip>
name Server: NS-UK.TOPDNS.COM
Name Server: NS-USA.TOPDNS.COM
Name Server: NS-CANADA.TOPDNS.COM
Name Server: NS2.MYDNSSCAN.US
Name Server: NS1.MYDNSSCAN.US
Name Server: NS3.MYDNSSCAN.US
Name Server: NS4.MYDNSSCAN.US
Name Server: NS1.DIRECTEDAT.ASIA
Name Server: NS2.DIRECTEDAT.ASIA
Created by Registrar: INTERNET.BS CORP.
Last Updated by Registrar: INTERNET.BS CORP.
Domain Registration Date: Thu May 23 20:58:15 GMT 2013
Domain Expiration Date: Thu May 22 23:59:59 GMT 2014
Domain Last Updated Date: Fri Jun 21 12:23:35 GMT 2013
source: http://whois.domaintools.com/mydnsscan.us
Since June 7th I've seen a few different IPs but all very very low amounds, same as directedat.asia that will do about only one a hour.
At the moment MyDnsScan.us is using the following two name servers:
mydnsscan.us. 14400 IN NS ns1.mydnsscan.us.
mydnsscan.us. 14400 IN NS ns2.mydnsscan.us.
UPDATE: 23/06/2013
Just seen requests for dd0s.asia this domain is registered at the same registrar and has the same ip range in its response. Also the name server IPs show similarities.
----------------
<snip>
dd0s.asia. 3600 IN A 172.33.43.37
dd0s.asia. 3600 IN A 172.33.43.7
dd0s.asia. 3600 IN A 172.33.43.38
dd0s.asia. 3600 IN A 172.33.43.63
dd0s.asia. 3600 IN A 172.33.43.6
dd0s.asia. 3600 IN A 172.33.43.48
dd0s.asia. 3600 IN A 172.33.43.54
dd0s.asia. 3600 IN A 172.33.43.68
dd0s.asia. 3600 IN A 172.33.43.43
dd0s.asia. 3600 IN A 172.33.43.3
dd0s.asia. 3600 IN A 172.33.43.32
dd0s.asia. 3600 IN A 172.33.43.26
<snip>
------------------
Whois info:
Domain ID:D2709804-ASIA
Domain Name:DD0S.ASIA
Domain Create Date:23-Jun-2013 01:38:11 UTC
Domain Expiration Date:23-Jun-2014 01:38:11 UTC
Domain Last Updated Date:23-Jun-2013 01:51:33 UTC
Last Transferred Date:
Created by:Internet.bs Corp. R176-ASIA (814)
Last Updated by Registrar:Internet.bs Corp. R176-ASIA (814)
Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
Domain Status:CLIENT TRANSFER PROHIBITED
Domain Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:INTEfa270xohhrs2
Registrant Name:Domain Administrator
Registrant Organization:Fundacion Private Whois
Registrant Address:
Attn: dd0s.asia
Registrant Address2:Aptds. 0850-00056
Registrant Address3:
Registrant City:Panama
Registrant State/Province:
Registrant Country/Economy:PA
Registrant Postal Code:Zona 15
Registrant Phone:+507.65995877
Name servers:
The domains DirectedAt.Asia and Dd0s.Asia are using the same Name Server IPs:
ns1.dd0s.asia. 3600 IN A 74.91.18.226
ns2.dd0s.asia. 3600 IN A 74.91.18.226
ns1.directedat.asia. 53633 IN A 74.91.18.226
ns2.directedat.asia. 53633 IN A 74.91.18.226
ns1.dd0s.asia. 3600 IN A 74.91.18.226
ns2.dd0s.asia. 3600 IN A 74.91.18.226
ns1.directedat.asia. 53633 IN A 74.91.18.226
ns2.directedat.asia. 53633 IN A 74.91.18.226
UPDATE 26/06/2013
Just seen activity for 1rip.com. Response contains 244 Ips in the 204.46.43.0/24 range. Same name servers as the above mentioned servers.
Domain 1rip.com
Date Registered: 2013-6-26
Expiry Date: 2014-6-26
DNS1: ns1.1rip.com
DNS2: ns2.1rip.com
Registrant Fundacion Private Whois
Domain Administrator Email:
Attn: 1rip.com
Aptds. 0850-00056
Zona 15 Panama Panama Tel: +507.65995877
Registrar: Internet.bs Corp.
Name servers:
ns1.1rip.com. 78501 IN A 74.91.18.226ns2.1rip.com. 78501 IN A 74.91.18.226
Update 28/06/2013
One new day two new domains. This time it is ScanDns.tk and Xcqv.de and I have enough reason to beleave this is the same guy as above DirectedAt.Asia.
One new day two new domains. This time it is ScanDns.tk and Xcqv.de and I have enough reason to beleave this is the same guy as above DirectedAt.Asia.
Whois details ScanDns.Tk:
Domain name: SCANDNS.TK
Organisation: BV Dot TK Dot TK
administrator P.O. Box 11774 1001 GT Amsterdam Netherlands
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: ,
copyright infringement:
Returns
1350 A records in the ranges 1. - 223.
scandns.tk. 2181 IN NS ns1.cloudns.net.
scandns.tk. 2181 IN NS ns2.cloudns.net.
scandns.tk. 2181 IN NS ns3.cloudns.net.
scandns.tk. 2181 IN NS ns4.cloudns.net.
-----------------------------------------------------------------------
Whois details xcqv.de:
Domain: xcqv.deReturns:
Nserver: ns.inwx.de
Nserver: ns2.inwx.de
Nserver: ns3.inwx.eu
Nserver: ns4.inwx.com
Nserver: ns5.inwx.net
Status: connect
Changed: 2013-06-27T22:37:52+02:00
[Tech-C]
Type: ROLE
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Address: Tempelhofer Damm 140
PostalCode: 12099
City: Berlin
CountryCode: DE
Phone: +49.180.3730000
Phone: +49.30.66400137
Fax: +49.30.66400138
Email:
Remarks: role account for Hostmaster of the Day
Changed: 2009-01-07T16:28:43+01:00
501 A records in the 178.100 range.
Name servers:
xcqv.de. 20837 IN NS ns2.inwx.de.
xcqv.de. 20837 IN NS ns5.inwx.net.
xcqv.de. 20837 IN NS ns4.inwx.com.
xcqv.de. 20837 IN NS ns.inwx.de.
xcqv.de. 20837 IN NS ns3.inwx.eu.
New domain and new sub-domain:
formality.directedat.asia returns 511 records in the 172.33.43.0 and 172.33.44.0 range.
--------------
Aanonsc.com returns 511 A records in the 172.33.43.0 and 172.33.44.0 range.
Seen the AnonSc.com domain only once. That same source IP also once requested Nukes.DirectedAt.Asia on the 25th of June.
Name servers:
anonsc.com. 86400 IN NS ns3.anonsc.com.
anonsc.com. 86400 IN NS ns4.anonsc.com.
ns3.anonsc.com. 86400 IN A 89.221.247.170
ns4.anonsc.com. 86400 IN A 89.221.247.170
SOA:
anonsc.com. 77002 IN SOA ns3.anonsc.com. shit.anonsc.com. (
2053191001 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
Whois:
Technical Contact
Fundacion Private Whois
Domain Administrator
Email:
Attn: anonsc.com
Aptds. 0850-00056
Zona 15 Panama
Panama
Tel: +507.65995877
Registrar: Internet.bs Corp.
source: http://whois.domaintools.com/anonsc.com
The fact that all of these domains are registered with Internet.bs is more due to its status as a safe harbor to domains used by spammers, malware peddlers, phishers, and other scum. They are almost completely unresponsive to abuse reports and every lowlife knows this, which is why you see all of these domains registered there. It's not necessarily indicative of the same person or group being behind these domains.
ReplyDeleteThis is true, but I also base it on the fact that a couple of these domains use(d) the same Name Server IPs and initial first request often came from the same IP ranges or even the same hosts. Got Any more information to share on the internet.bs registrar?
DeleteMy backdoor connection to my place of work is getting DoS'ed pretty much with UDP DNS queries for A Record mydnsscan.us and A Record 1rip.com. My backdoor connection isn't too great but this traffic is managing to cause many more connection problems. Really annoying :( I am sometimes getting hit by 3 different address' out there at the same time.
ReplyDelete'sometimes getting hit by 3 different address out there at the same time'
DeleteDo you mean IPs or Domains?
If it is IPs than perhaps you are actually running a DNS server on that line..
I mean IPs.
DeleteThis connection ran a DNS server until the other day, I closed it down and I'm now dropping inbound packets on port 53. Firewall is still getting hit hard, but is no longer replying.
By 3 different addresses I mean that I have 3 unique IPs sending hundreds of thousands of DNS queries for mydnsscan.us or 1rip.com at one point in time.
iam being Hitted by a very big and distributed UDP and all i see on .cap is anonsc.com
ReplyDelete.cap file:
www.helbreathnemesis.com/downloads/11.rar
Hi calu, thanks for the pcap.
DeleteI will look further in to this, but you have been hit by atleast two types of attacks. I the majority is a Chargen attack and also some traffic related to DNS amplification.