Saturday, September 21, 2013

Domain: bitstress.com

Received a tip about this domain before I had the time to discover it in my log files. Thanks! :)

Source:

Observed the first requests for this domain on September 18th from:

80.82.65.204 - Ecatel


Response:

About 242 A records in the 204.46.43.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09424954 && 0x2c&0xDFDFDFDF=0x53545245 && 0x30&0xDFDFDFDF=0x53530343 && 0x34&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q bitstress.com"

More rules here

Name servers:

bitstress.com.          73670   IN      NS      ns2.bitstress.com.
bitstress.com.          73670   IN      NS      ns1.bitstress.com.

;; ADDITIONAL SECTION:
ns1.bitstress.com.      73670   IN      A       94.102.56.151
ns2.bitstress.com.      73670   IN      A       69.42.219.74


Whois:

Domain bitstress.com

Date Registered: 2013-9-16
Expiry Date: 2014-9-16

DNS1: ns1.bitstress.com
DNS2: ns2.bitstress.com

Registrant
    Fundacion Private Whois
    Domain Administrator
    Email:523780aed7qk26dt@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Administrative Contact
    Fundacion Private Whois
    Domain Administrator
    Email:523780ae2ke1mbef@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Technical Contact
    Fundacion Private Whois
    Domain Administrator
    Email:523780aen5ps83ng@5225b4d0pi3627q9.privatewhois.net
    Attn: bitstress.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>


6 comments:

  1. A list of hax0red machines doing a bitstress.com DNS attack in the last 12 hours
    http://pastebin.com/RM1r7yQJ

    ReplyDelete
    Replies
    1. You are on the receiving end of this? In that case these are simply mis-configured DNS servers.

      Delete
  2. it still happen?

    excerpt from my dns server

    01-Oct-2013 11:18:47.200 queries: info: client 216.231.140.226#60902: query: bitstress.com IN ANY +E
    01-Oct-2013 11:18:47.203 queries: info: client 216.231.140.226#1035: query: bitstress.com IN ANY +E
    01-Oct-2013 11:18:47.205 queries: info: client 216.231.140.226#1036: query: bitstress.com IN ANY +E
    01-Oct-2013 11:18:47.205 queries: info: client 216.231.140.226#1037: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.246 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.248 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.249 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.249 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.250 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:04.250 queries: info: client 119.252.191.53#6894: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:17.034 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:17.035 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:17.086 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
    01-Oct-2013 14:55:17.087 queries: info: client 119.252.190.126#2101: query: bitstress.com IN ANY +E
    01-Oct-2013 15:19:41.821 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E
    01-Oct-2013 15:19:41.821 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E
    01-Oct-2013 15:19:41.822 queries: info: client 184.168.137.105#59798: query: bitstress.com IN ANY +E

    ReplyDelete
  3. What i means are they still attacking bitstress.com ?

    since i stil got a lot of query to bitstress.com from multiple ip right now

    ReplyDelete