Attack using a legit domain. Have not seen any attacks yet. Only scanning.
If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09484343 && 0x2c&0xDFDFDFDF=0x464f5255 && 0x30&0xDFDFFFDF=0x4d53024e && 0x34&0xDFFF00FF=0x4c0000ff" -j DROP -m comment --comment "DROP DNS Q ANY hccforums.nl"
More U32 rules can be found here:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|09686363666f72756d73026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q hccforums.nl"
More Iptables rules for the STRING module can be found here:
220.127.116.11 - AS29073 Ecatel Network
;; ANSWER SECTION:
hccforums.nl. 3600 IN NS ns1.hobby.nl.
hccforums.nl. 3600 IN NS ns2.hobby.nl.
hccforums.nl. 3600 IN NS ns3.hobby.nl.
Domain name: hccforums.nl
Record maintained by: NL Domain Registry
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).