Wednesday, June 26, 2013

Ecatel a big source of *.DirectedAt.Asia

Often I see very little traffic on my DNS server. The advantage of this is that it is a lot easier to spot 'discovery queries'. With these queries I mean that  booters or stressers are looking for Open DNS servers to abuse.

A Project of a security researcher that does this for good is the Openresolverproject.org.

An example of a booter is the person running the different .asia and .us attacks.
Such as :
-  MyDnsScan.Us
-  Nukes / dongs.DirectedAt.Asia
-  Dd0s.Asia

The person responsible for these domains has been exposed in the following blog post: Dns Amplification Attacks, Booter services and who's behind them

Around the same time this blog was posted I was digging around to find out when I first started seeing these .Asia domains and if I could find a discovery query.

And I did!

The first .asia activity I observed on one of my nodes was on April 25th 2013.

25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)

Looking at this IP a bit more I notieced one previous request:

25-Apr-2013 12:xx client 89.248.160.192#44330 (.): query: . IN ANY +E (w.x.y.z)

This IP is from the Dutch hosting provider Ecatel and this is not the only IP from them either. Looking at all the unique IPs and their AS number that performed .asia requests you see a clear pattern.

Count IP                          ISP
36 50.7.190.60 AS5580 Atrato IP Networks
5 84.246.124.136 AS34568 ConnectingBytes GmbH
9 192.151.149.90 AS33387 DataShack, LC
8 192.187.102.74 AS33387 DataShack, LC
3 160.83.8.79 AS8373 Deutsche Bank AG
23 89.248.168.94 AS29073 Ecatel Network   
15 89.248.160.192 AS29073 Ecatel Network   
11 89.248.172.173 AS29073 Ecatel Network   
7 94.102.63.20 AS29073 Ecatel Network   
6 93.174.93.72 AS29073 Ecatel Network   
5 89.248.171.125 AS29073 Ecatel Network   
4 94.102.52.95 AS29073 Ecatel Network   
4 94.102.63.22 AS29073 Ecatel Network   
3 89.248.168.178 AS29073 Ecatel Network   
2 80.82.64.25 AS29073 Ecatel Network   
2 93.174.93.219 AS29073 Ecatel Network   
1 80.82.64.235 AS29073 Ecatel Network   
1 80.82.65.153 AS29073 Ecatel Network   
1 80.82.66.27 AS29073 Ecatel Network   
1 89.248.168.170 AS29073 Ecatel Network   
1 89.248.168.219 AS29073 Ecatel Network   
1 93.174.93.45 AS29073 Ecatel Network   
1 93.174.93.98 AS29073 Ecatel Network   
1 94.102.49.2 AS29073 Ecatel Network   
1 94.102.56.219 AS29073 Ecatel Network   
56 178.18.19.140 AS18779 EGIHosting  
36 178.18.26.213 AS18779 EGIHosting  
7 178.18.17.16 AS18779 EGIHosting  
1 178.18.26.76 AS18779 EGIHosting  
1 79.110.83.80 AS47195 Gameforge Productions GmbH
81 134.19.181.30 AS57172 Global Layer B.V.
44 188.95.48.25 AS57172 Global Layer B.V.
28 134.19.181.28 AS57172 Global Layer B.V.
51 213.239.204.50 AS24940 Hetzner Online AG
1 188.132.242.149 AS42910 Hosting Internet Hizmetleri Sanayi ve
2 188.138.109.53 AS8972 intergenia AG
14 192.162.137.62 AS16265 LeaseWeb B.V.
3 199.71.233.202 AS47869 Netrouting Data Facilities
1 109.235.51.224 AS47869 Netrouting Data Facilities
12 37.220.19.98 AS35662 Redstation Limited
4 88.150.195.29 AS35662 Redstation Limited
1 37.220.17.66 AS35662 Redstation Limited
1 46.249.58.116 AS50673 Serverius Holding B.V.
2 173.242.114.26 AS46664 VolumeDrive  
1 199.19.110.200 AS46664 VolumeDrive  
1 74.118.193.43 AS46664 VolumeDrive  
50 109.236.83.163 AS49981 WorldStream  

Ecatel is a know 'bad' hoster as described by hostexploit.com:

Top 10 Bad Hosts 2013 Q1

HE Rank HE IndexAS NumberNameCountry
1 152.38 AS29073 Ecatel Network NL NETHERLANDS
2 149.22 AS58001 Ideal Solution Ltd RU RUSSIAN FEDERATION
3 146.69 AS6697 Beltelecom BY BELARUS
4 141.69 AS29182 ISPsystem RU RUSSIAN FEDERATION
5 136.65 AS16276 OVH Systems FR FRANCE
6 134.49 AS24940 Hetzner Online AG DE GERMANY
7 133.96 AS40034 Confluence Networks Inc VG VG VIRGIN ISLANDS, BRITISH
8 133.83 AS197774 Smovskaya Valentina Ivanovna UA UKRAINE
9 132.18 AS11042 Landis Holdings Inc US UNITED STATES
10 131.11 AS47764 Mail.Ru LLC RU RUSSIAN FEDERATION
Source: http://www.hostexploit.com/


1 comment:

  1. 89.248.172.95 NL-ECATEL
    89.248.169.9
    89.248.167.19
    I received notices from Malwarebytes software that they were added as Web Exclusions
    What should I do?
    Thanks,
    Mike

    ReplyDelete