Sunday, November 10, 2013

Domain: hccforums.nl

Domain: hccforums.nl

Attack using a legit domain. Have not seen any attacks yet. Only scanning.

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x09484343 && 0x2c&0xDFDFDFDF=0x464f5255 && 0x30&0xDFDFFFDF=0x4d53024e && 0x34&0xDFFF00FF=0x4c0000ff" -j DROP -m comment --comment "DROP DNS Q ANY hccforums.nl"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 56 --algo bm --hex-string '|09686363666f72756d73026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q hccforums.nl"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.93.139 - AS29073 Ecatel Network

Name server:


;; ANSWER SECTION:
hccforums.nl. 3600 IN NS ns1.hobby.nl.
hccforums.nl. 3600 IN NS ns2.hobby.nl.
hccforums.nl. 3600 IN NS ns3.hobby.nl.


Response:


A 13
AAAA 2
DNSKEY 3
MX 5
NS 9
NSEC3PARAM 2
RRSIG 7
SOA 2
Rsize 3444


Whois


Domain name: hccforums.nl
Status: active

Registrar:
HCC
Jansweg 38
2011KN HAARLEM
Netherlands

DNSSEC: yes

Domain nameservers:
ns2.hobby.nl
ns3.hobby.nl
ns1.hobby.nl

Record maintained by: NL Domain Registry

Copyright notice
No part of this publication may be reproduced, published, stored in a
retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without prior
permission of the Foundation for Internet Domain Registration in the
Netherlands (SIDN).
These restrictions apply equally to registrars, except in that
reproductions and publications are permitted insofar as they are
reasonable, necessary and solely in the context of the registration
activities referred to in the General Terms and Conditions for .nl
Registrars.
Any use of this material for advertising, targeting commercial offers or
similar activities is explicitly forbidden and liable to result in legal
action. Anyone who is aware or suspects that such activities are taking
place is asked to inform the Foundation for Internet Domain Registration
in the Netherlands.
(c) The Foundation for Internet Domain Registration in the Netherlands
(SIDN) Dutch Copyright Act, protection of authors' rights (Section 10,
subsection 1, clause 1).



4 comments:

  1. Also seeing doc.gov type ANY

    ReplyDelete
  2. Thanks so much for this. I have been getting absolutely slammed by DNS from this domain which has been pegging the outbound side of my internet connection. After a bit of sleuth work, some packet capturing, and some wiresharking I found hccforums.nl. In some cases as little as 6Mbps, and as high as 30Mbps. An hour spent with my firewall tech support (ZyXel) today, even they couldn't figure out what was going on. It has been happening for a month now.

    ReplyDelete
  3. census.gov as well My firewall drops these automatically after they hit a closed port but damn they have been slamming me lately. even with dropping them fast and easy its getting annoying.

    ReplyDelete