Monday, September 23, 2013

Domain: d6991.com

From 3 or 4 sources I received tips about this domain. Funny enough, I haven't seen this domain at all!

Thanks for all the tips, warm feeling :)

Well here it goes!

Source:

Not observed myself.


Response:

About 255 A records in the 121.100.152.x range.


IPtables rule:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFFF=0x05443639 && 0x2c&0xFFFFFFDF=0x39310343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q d6991.com"

More rules here

Name servers:

d6991.com.              4354    IN      NS      ns2.mmtac1.com.
d6991.com.              4354    IN      NS      ns1.mmtac1.com.
d6991.com.              4354    IN      NS      ns3.mmtac1.com.
d6991.com.              4354    IN      NS      ns4.mmtac1.com.


Whois:


Domain: d6991.com
Status: Protected

DNS:
        ns1.mmtac1.com
        ns2.mmtac1.com

Created: 2013-09-14 16:33:56
Expires: 2014-09-14 08:33:55
Last Modified: 2013-09-14 16:33:54

Registrant Contact:
        Whoisprotection.cc
        Domain Admin  (reg_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Administrative Contact:
        Whoisprotection.cc
        Domain Admin  (adm_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Technical Contact:
        Whoisprotection.cc
        Domain Admin  (tec_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Billing Contact:
        Whoisprotection.cc
        Domain Admin  (bil_1358532@whoisprotection.cc)
        Lot 2-1, Incubator 1, Technology Park Malaysia, Bukit Jalil
        Kuala Lumpur, Wilayah Persekutuan, Malaysia 57000
        P: +603.89966788 F: +0.0

Posted by at
Labels:

3 comments:

  1. AnonymousSeptember 24, 2013 at 4:31 AM

    Nice! This blocks most of the traffic. You miss one thing, though: this firewall rule may be bypassed by using IP Header options. A better solution would be:

    iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@0x14&0xFFDFFFFF=0x05443639 && 0>>22&0x3C@0x18&0xFFFFFFDF=0x39310343 && 0>>22&0x3C@0x1c&0xDFDFFFFF=0x4f4d0000" -j DROP -m comment --comment "DROP DNS Q d1111.com"
    This stops both regular packets and packets with options.

    You may also consider an IPv6 rule, but with all the chained headers, that'll probably be a lot harder. I'm not even sure if that can be done without multiple rules.

    One more thing, please enable guest commenting. This is too much hassle just to react.

    ReplyDelete
    Replies
    1. dnsamplificationattacksSeptember 24, 2013 at 5:18 AM

      Hey yeah good one, so far it has not been required but might incorporate it. I've changed the settings for comments.

      Delete
  2. AnonymousSeptember 24, 2013 at 4:33 AM

    I probably should mention that 0>>22&0x3C@ skips to byte 0 after the IP header. It's then only 0x14 bytes to the start of the query. I found my information on stearns.org and in the iptables-extensions manpage.

    ReplyDelete

Subscribe to: Post Comments (Atom)