IPtables:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFFFDFDF=0x05344657 && 0x2c&0xDFDFFFDF=0x484b0343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q 4fwhk.com"
More rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
Source:
Unknown
Name server:
4fwhk.com. 7200 IN NS ns3.mmtac1.com.
4fwhk.com. 7200 IN NS ns2.mmtac1.com.
4fwhk.com. 7200 IN NS ns1.mmtac1.com.
4fwhk.com. 7200 IN NS ns4.mmtac1.com.
Name servers 1-4 point to:
222.163.192.106
222.163.192.104
The name server domain looked familiar:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-aammtac1com.html
Response:
257 records in the 121.122.157.x range
Whois
Domain: 4fwhk.com
Status: Protected
DNS:
ns1.mmtac1.com
ns2.mmtac1.com
Created: 2013-09-14 16:33:56
Expires: 2014-09-14 08:33:56
Last Modified: 2013-09-14 16:33:54
Registrant Contact:
Hong Yuan
yuan hong (asdf@gmail.com)
No.236, Jingai Road
Huaihu, Hunan, cn 418000
P: +745.2714381 F: +0.0
Administrative Contact:
Hong Yuan
yuan hong (asdf@gmail.com)
No.236, Jingai Road
Huaihu, Hunan, cn 418000
P: +745.2714381 F: +0.0
Technical Contact:
Hong Yuan
yuan hong (asdf@gmail.com)
No.236, Jingai Road
Huaihu, Hunan, cn 418000
P: +745.2714381 F: +0.0
Billing Contact:
Hong Yuan
yuan hong (asdf@gmail.com)
No.236, Jingai Road
Huaihu, Hunan, cn 418000
P: +745.2714381 F: +0.0
Starting early this morning we are seeking massive lookups for this domain coming from the following IPs...
ReplyDelete115.239.225.227 Response sent: 4fwhk.com. type NOT FOUND
59.63.181.109 Response sent: 4fwhk.com. type NOT FOUND
121.14.142.91 Response sent: 4fwhk.com. type NOT FOUND
121.14.142.92 Response sent: 4fwhk.com. type NOT FOUND
115.238.236.75 Response sent: 4fwhk.com. type NOT FOUND
115.238.186.50 Response sent: 4fwhk.com. type NOT FOUND
Seen attacks overnight using open revolvers
ReplyDelete