Friday, November 1, 2013

Domain: reanimator.in

Domain: reanimator.in

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0a524541 && 0x2c&0xDFDFDFDF=0x4e494d41 && 0x30&0xDFDFDFFF=0x544f5202 && 0x34&0xDFDFFF00=0x494e0000" -j DROP -m comment --comment "DROP DNS Q reanimator.in"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 55 --algo bm --hex-string '|0A7265616e696d61746f7202696e00|' -j DROP -m comment --comment "DROP DNS Q reanimator.in"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


93.174.93.176

Name server:


;; ANSWER SECTION:
reanimator.in. 9905 IN NS a.dns.gandi.net.
reanimator.in. 9905 IN NS c.dns.gandi.net.
reanimator.in. 9905 IN NS b.dns.gandi.net.

;; ADDITIONAL SECTION:
a.dns.gandi.net. 13822 IN A 173.246.97.2
a.dns.gandi.net. 13822 IN AAAA 2604:3400:a::2
b.dns.gandi.net. 13822 IN A 217.70.184.40
b.dns.gandi.net. 13822 IN AAAA 2001:4b98:b:a::40
c.dns.gandi.net. 13822 IN A 217.70.182.20
c.dns.gandi.net. 13822 IN AAAA 2001:4b98:c:521::20


Response:


A 241
NS 3
SOA 1
Rsize 3979


Whois


Access to .IN WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
.IN registry database. The data in this record is provided by
.IN Registry for informational purposes only, and .IN does not
guarantee its accuracy. This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. .IN reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.

Domain ID:D7783010-AFIN
Domain Name:REANIMATOR.IN
Created On:17-Oct-2013 16:03:40 UTC
Last Updated On:17-Oct-2013 16:03:42 UTC
Expiration Date:17-Oct-2014 16:03:40 UTC
Sponsoring Registrar:Gandi SAS (R91-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:SK3443-GANDI
Registrant Name:Stelios Kornelius
Registrant Organization:
Registrant Street1:molochanskaya, 10
Registrant Street2:
Registrant Street3:
Registrant City:Kiev
Registrant State/Province:
Registrant Postal Code:02415
Registrant Country:UA
Registrant Phone:+38.0933231307
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:d3b41d6ccd99b1f96c9c6a4a32558576-1796301@contact.gandi.net
Admin ID:SK3443-GANDI
Admin Name:Stelios Kornelius
Admin Organization:
Admin Street1:molochanskaya, 10
Admin Street2:
Admin Street3:
Admin City:Kiev
Admin State/Province:
Admin Postal Code:02415
Admin Country:UA
Admin Phone:+38.0933231307
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:d3b41d6ccd99b1f96c9c6a4a32558576-1796301@contact.gandi.net
Tech ID:SK3443-GANDI
Tech Name:Stelios Kornelius
Tech Organization:
Tech Street1:molochanskaya, 10
Tech Street2:
Tech Street3:
Tech City:Kiev
Tech State/Province:
Tech Postal Code:02415
Tech Country:UA
Tech Phone:+38.0933231307
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:d3b41d6ccd99b1f96c9c6a4a32558576-1796301@contact.gandi.net
Name Server:A.DNS.GANDI.NET
Name Server:B.DNS.GANDI.NET
Name Server:C.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned





2 comments:

  1. Also receiving from 93.174.93.84
    [udp sum ok] 9158+ [1au] ANY? loo1.ru. ar: . OPT UDPsize=65535 (36)

    ReplyDelete
    Replies
    1. See: http://dnsamplificationattacks.blogspot.com/2013/11/domain-loo1ru.html :-)

      Delete