Source:
Observed the first requests for this domain on September 18th from:
80.82.65.204 - Ecatel
Response:
About 242 A records in the 204.46.43.x range.IPtables rule:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09424954 && 0x2c&0xDFDFDFDF=0x53545245 && 0x30&0xDFDFDFDF=0x53530343 && 0x34&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q bitstress.com"More rules here
Name servers:
bitstress.com. 73670 IN NS ns2.bitstress.com.bitstress.com. 73670 IN NS ns1.bitstress.com.
;; ADDITIONAL SECTION:
ns1.bitstress.com. 73670 IN A 94.102.56.151
ns2.bitstress.com. 73670 IN A 69.42.219.74
Whois:
Domain bitstress.comDate Registered: 2013-9-16
Expiry Date: 2014-9-16
DNS1: ns1.bitstress.com
DNS2: ns2.bitstress.com
Registrant
Fundacion Private Whois
Domain Administrator
Email:523780aed7qk26dt@5225b4d0pi3627q9.privatewhois.net
Attn: bitstress.com
Aptds. 0850-00056
Zona 15 Panama
Panama
Tel: +507.65995877
Administrative Contact
Fundacion Private Whois
Domain Administrator
Email:523780ae2ke1mbef@5225b4d0pi3627q9.privatewhois.net
Attn: bitstress.com
Aptds. 0850-00056
Zona 15 Panama
Panama
Tel: +507.65995877
Technical Contact
Fundacion Private Whois
Domain Administrator
Email:523780aen5ps83ng@5225b4d0pi3627q9.privatewhois.net
Attn: bitstress.com
Aptds. 0850-00056
Zona 15 Panama
Panama
Tel: +507.65995877
Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>
A list of hax0red machines doing a bitstress.com DNS attack in the last 12 hours
ReplyDeletehttp://pastebin.com/RM1r7yQJ
You are on the receiving end of this? In that case these are simply mis-configured DNS servers.
Deleteit still happen?
ReplyDeleteexcerpt from my dns server
01-Oct-2013 11:18:47.200 queries: info: client 216.231.140.226#60902: query: bitstress.com IN ANY +E
01-Oct-2013 11:18:47.203 queries: info: client 216.231.140.226#1035: query: bitstress.com IN ANY +E
01-Oct-2013 11:18:47.205 queries: info: client 216.231.140.226#1036: query: bitstress.com IN ANY +E
01-Oct-2013 11:18:47.205 queries: info: client 216.231.140.226#1037: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.246 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.248 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.249 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.249 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.250 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:04.250 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:17.034 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:17.035 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:17.086 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
01-Oct-2013 14:55:17.087 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
01-Oct-2013 15:19:41.821 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E
01-Oct-2013 15:19:41.821 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E
01-Oct-2013 15:19:41.822 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E
What do you mean?
DeleteWhat i means are they still attacking bitstress.com ?
ReplyDeletesince i stil got a lot of query to bitstress.com from multiple ip right now
Nice article .
ReplyDelete