Saturday, June 22, 2013


The domain name made me think of the DirectedAt.Asia.

After a quick comparison of the whois data, I see they have matching Registrars. ( Corp) Perhaps its a lead.

A definite link can be made between the two domains when looking at the 'Name Server:' details in the whois data of MyDnsScan.Us, as it contains records.

The asia domain has whois guard but the MyDnsScan one has some contact details.

--- Directed at asia ---
    Domain ID:D2608645-ASIA
    Domain Create Date:12-Apr-2013 03:21:04 UTC
    Domain Expiration Date:12-Apr-2014 03:21:04 UTC
    Domain Last Updated Date:11-Jun-2013 20:50:05 UTC
    Last Transferred Date:
    Created Corp. R176-ASIA (814)
    Last Updated by Registrar:ASIA Registry R6-ASIA (9996)
    Sponsoring Corp. R176-ASIA (814)
    Registrant ID:INTE9l5othfpmebj
    Registrant Name:
    Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Registrant Address2: Aptds. 0850-   00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15Registrant Phone:+507.65995877


--- My DNS Scan US ---

    Domain Name:    MYDNSSCAN.US
    Domain ID:      D40566976-US
    Sponsoring Registrar:    INTERNET.BS CORP.
    Sponsoring Registrar IANA ID:                814
    Registrar URL (registration services):
    Domain Status:                               clientTransferProhibited
    Registrant ID:                               INTESKAXRHT1B2G3
    Registrant Name:                             Herman Singh
    Registrant Address1:                         9049 180th St
    Registrant City:                             Jamaica
    Registrant Postal Code:                      11432
    Registrant Country:                          United States
    Registrant Country Code:                     US
    Registrant Phone Number:                     +1.5267675
    Registrant Email:                  
    name Server:   NS-UK.TOPDNS.COM
    Name Server:   NS-USA.TOPDNS.COM
    Name Server:   NS-CANADA.TOPDNS.COM
    Name Server:   NS2.MYDNSSCAN.US
    Name Server:   NS1.MYDNSSCAN.US
    Name Server:   NS3.MYDNSSCAN.US
    Name Server:   NS4.MYDNSSCAN.US
    Name Server:   NS1.DIRECTEDAT.ASIA
    Name Server:   NS2.DIRECTEDAT.ASIA
    Created by Registrar:     INTERNET.BS CORP.
    Last Updated by Registrar:  INTERNET.BS CORP.
    Domain Registration Date:   Thu May 23 20:58:15 GMT 2013
    Domain Expiration Date:     Thu May 22 23:59:59 GMT 2014
    Domain Last Updated Date:   Fri Jun 21 12:23:35 GMT 2013


Since June 7th I've seen a few different IPs but all very very low amounds, same as that will do about only one a hour.

At the moment is using the following two name servers: 14400 IN NS 14400 IN NS

UPDATE: 23/06/2013

Just seen requests for this domain is registered at the same registrar and has the same ip range in its response. Also the name server IPs show similarities.

<snip> 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A 3600 IN A

Whois info:

    Domain ID:D2709804-ASIA
    Domain Name:DD0S.ASIA
    Domain Create Date:23-Jun-2013 01:38:11 UTC
    Domain Expiration Date:23-Jun-2014 01:38:11 UTC
    Domain Last Updated Date:23-Jun-2013 01:51:33 UTC
    Last Transferred Date:
    Created Corp. R176-ASIA (814)
    Last Updated by Corp. R176-ASIA (814)
    Sponsoring Corp. R176-ASIA (814)
    Registrant ID:INTEfa270xohhrs2
    Registrant Name:Domain Administrator
    Registrant Organization:Fundacion Private Whois
    Registrant Address:
    Registrant Address2:Aptds. 0850-00056
    Registrant Address3:
    Registrant City:Panama
    Registrant State/Province:
    Registrant Country/Economy:PA
    Registrant Postal Code:Zona 15
    Registrant Phone:+507.65995877

Name servers:

The domains DirectedAt.Asia and Dd0s.Asia are using the same Name Server IPs: 3600 IN A 3600 IN A 53633 IN A 53633 IN A

UPDATE 26/06/2013

Just seen activity for Response contains 244 Ips in the range. Same name servers as the above mentioned servers.

    Date Registered: 2013-6-26
    Expiry Date: 2014-6-26
    Registrant    Fundacion Private Whois    
    Domain Administrator    Email:  
    Aptds. 0850-00056    
    Zona 15 Panama    Panama    Tel: +507.65995877

    Registrar: Corp.

Name servers: 78501 IN A 78501 IN A

Update 28/06/2013

One new day two new domains. This time it is and and I have enough reason to beleave this is the same guy as above DirectedAt.Asia. 

Whois details ScanDns.Tk:

    Domain name:      SCANDNS.TK
    Organisation:      BV Dot TK      Dot TK 
    administrator      P.O. Box 11774      1001 GT  Amsterdam      Netherlands      
    Phone: +31 20 5315725      
    Fax: +31 20 5315721      
    E-mail: abuse: 
    copyright infringement: 


1350 A records in the ranges 1. - 223. 2181 IN NS 2181 IN NS 2181 IN NS 2181 IN NS


Whois details
Status: connect
Changed: 2013-06-27T22:37:52+02:00

Type: ROLE
Name: Hostmaster Of The Day
Organisation: InterNetworX Ltd. & Co. KG
Address: Tempelhofer Damm 140
PostalCode: 12099
City: Berlin
CountryCode: DE
Phone: +49.180.3730000
Phone: +49.30.66400137
Fax: +49.30.66400138
Remarks: role account for Hostmaster of the Day
Changed: 2009-01-07T16:28:43+01:00

501 A records in the 178.100 range.

Name servers: 20837 IN NS 20837 IN NS 20837 IN NS 20837 IN NS 20837 IN NS

Update 07/07/2013

New domain and new sub-domain: returns 511 records in the and range.

-------------- returns 511 A records in the and range.

Seen the domain only once. That same source IP also once requested Nukes.DirectedAt.Asia on the 25th of June.

Name servers: 86400 IN NS 86400 IN NS 86400 IN A 86400 IN A

SOA: 77002 IN SOA (
2053191001 ; serial
86400      ; refresh (1 day)
7200       ; retry (2 hours)
3600000    ; expire (5 weeks 6 days 16 hours)
86400      ; minimum (1 day)



    Technical Contact
        Fundacion Private Whois
        Domain Administrator
        Aptds. 0850-00056
        Zona 15 Panama
        Tel: +507.65995877

    Registrar: Corp.



  1. The fact that all of these domains are registered with is more due to its status as a safe harbor to domains used by spammers, malware peddlers, phishers, and other scum. They are almost completely unresponsive to abuse reports and every lowlife knows this, which is why you see all of these domains registered there. It's not necessarily indicative of the same person or group being behind these domains.

    1. This is true, but I also base it on the fact that a couple of these domains use(d) the same Name Server IPs and initial first request often came from the same IP ranges or even the same hosts. Got Any more information to share on the registrar?

  2. My backdoor connection to my place of work is getting DoS'ed pretty much with UDP DNS queries for A Record and A Record My backdoor connection isn't too great but this traffic is managing to cause many more connection problems. Really annoying :( I am sometimes getting hit by 3 different address' out there at the same time.

    1. 'sometimes getting hit by 3 different address out there at the same time'

      Do you mean IPs or Domains?

      If it is IPs than perhaps you are actually running a DNS server on that line..

    2. I mean IPs.

      This connection ran a DNS server until the other day, I closed it down and I'm now dropping inbound packets on port 53. Firewall is still getting hit hard, but is no longer replying.

      By 3 different addresses I mean that I have 3 unique IPs sending hundreds of thousands of DNS queries for or at one point in time.

  3. iam being Hitted by a very big and distributed UDP and all i see on .cap is
    .cap file:

    1. Hi calu, thanks for the pcap.
      I will look further in to this, but you have been hit by atleast two types of attacks. I the majority is a Chargen attack and also some traffic related to DNS amplification.