Today I found the domain "whoami.akamai.com" in my log files. After concluding that there was no amplification in there, I looked at who requested this domain. Normally there is one request for these 'new' domains. ( mostly an Ecatel IP ) But not today, over a hundred different IPs scrolled by..
The queries were also performed with only the Recursion Desired bit set, no eDNS as I usually see.
Most IPs only requested the domain once.. but why this domain? The IPs are scatered over a few AS-es:
71 AS4134 Chinanet
40 AS4837 CNCGROUP China169 Backbone
7 AS23650 AS Number for CHINANET jiangsu province backbone
6 AS9808 Guangdong Mobile Communication Co.Ltd.
4 AS38283 CHINANET SiChuan Telecom Internet Data Center
3 AS17816 China Unicom IP network China169 Guangdong province
2 AS4812 China Telecom (Group)
2 AS4808 CNCGROUP IP network China169 Beijing Province Network
2 AS24444 Shandong Mobile Communication Company Limited
1 AS7473 Singapore Telecommunications Ltd
1 AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh.
1 AS56046 China Mobile communications corporation
1 AS56040 China Mobile communications corporation
1 AS54994 Wangsu Science and Technology (US), Inc.
1 AS4538 China Education and Research Network Center
1 AS3462 Data Communication Business Group
1 AS24445 Henan Mobile Communications Co.,Ltd
1 AS18118 CITIC Networks Management Co.,Ltd.
1 AS1299 TeliaNet Global Network
A few IPs have rDNS set:
112.117.216.6 - 6.216.117.112.broad.km.yn.dynamic.163data.com.cn.
121.205.7.134 - 134.7.205.121.broad.qz.fj.dynamic.163data.com.cn.
122.136.46.81 - 81.46.136.122.adsl-pool.jlccptt.net.cn.
122.138.54.6 - 6.54.138.122.adsl-pool.jlccptt.net.cn.
122.143.27.134 - 134.27.143.122.adsl-pool.jlccptt.net.cn.
123.103.64.180 - 123.103.64.180-BJ-CNC.
124.163.221.6 - 6.221.163.124.adsl-pool.sx.cn.
125.75.128.81 - 81.128.125.75.gs.dynamic.163data.com.cn.
182.118.15.6 - hn.kd.ny.adsl.
182.118.73.10 - hn.kd.ny.adsl.
219.153.52.6 - 6.52.153.219.broad.cq.cq.dynamic.163data.com.cn.
219.154.65.164 - hn.kd.jz.adsl.
220.165.142.6 - 6.142.165.220.broad.cx.yn.dynamic.163data.com.cn.
222.138.229.57 - hn.kd.ny.adsl.
222.140.155.6 - hn.kd.dhcp.
60.220.196.6 - 6.196.220.60.adsl-pool.sx.cn.
60.220.213.70 - 70.213.220.60.adsl-pool.sx.cn.
61.157.124.20 - 20.124.157.61.dial.zy.sc.dynamic.163data.com.cn.
61.188.191.10 - 10.191.188.61.broad.nc.sc.dynamic.163data.com.cn.
61.54.12.5 - hn.kd.dhcp.
61.54.219.59 - hn.kd.dhcp.
61.54.7.11 - hn.kd.dhcp.
Dhcp, dynamic - sound like home connections. Botnet?
WhoAmI.akamai.com
As it turns out this sub domain is something special.
The A record response for this domain is the IP from which the request come from. So if you run a local DNS server you will have your (WAN) IP returned. When using a remove DNS server, that IP will be returned. In case of a chain of forwarding DNS servers, the IP of that last one in the chain will be returned.
Google Public DNS:
dig whoami.akamai.com @8.8.8.8
....
;; ANSWER SECTION:
whoami.akamai.net. 94 IN A 74.125.17.147
My query was forwarded to 74.125.17.147 by Google. For load balancing purposes I guess. Perhaps using eDNS +client.
But why request this domain from every open DNS server in the world?
The people behind this scan can see the difference in 'open DNS servers' if it is a 'open resolver' or an 'open forwarder'. Perhaps this makes a significant difference when performing DNS amplification attacks.. perhaps it is just nice to know.
When the responses to these queries are properly logged on could generate a real nice graph of what open forwarders hide behind what open resolvers... I want that graph now!!
I am assuming there are a lot more open forwarders than there are open resolver. But I have no stats on that matter. Perhaps this was a small botnet making these requests.. but why request it so many times as the queries are almost all from China it cannot be related to Geo diversity. Pretty confusing.
If anyone has any idea about this all.. Let me know!
Observed source IPs:
IP | Country | ISP |
101.227.66.136 | China | AS4812 China Telecom (Group) |
101.26.37.10 | China | AS4837 CNCGROUP China169 Backbone |
103.5.124.133 | Cambodia | AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh. |
110.18.244.134 | China | AS4837 CNCGROUP China169 Backbone |
110.18.246.6 | China | AS4837 CNCGROUP China169 Backbone |
112.117.216.6 | China | AS4134 Chinanet |
112.25.35.36 | China | AS56046 China Mobile communications corporation |
112.253.38.28 | China | AS4837 CNCGROUP China169 Backbone |
112.84.252.131 | China | AS4837 CNCGROUP China169 Backbone |
112.90.246.6 | China | AS17816 China Unicom IP network China169 Guangdong province |
112.91.29.6 | China | AS17816 China Unicom IP network China169 Guangdong province |
113.107.56.10 | China | AS4134 Chinanet |
113.107.89.134 | China | AS4134 Chinanet |
113.17.140.154 | China | AS4134 Chinanet |
113.207.63.136 | China | AS4837 CNCGROUP China169 Backbone |
114.80.143.152 | China | AS4812 China Telecom (Group) |
115.156.188.141 | China | AS4538 China Education and Research Network Center |
115.231.84.10 | China | AS4134 Chinanet |
115.238.245.134 | China | AS4134 Chinanet |
116.10.190.10 | China | AS4134 Chinanet |
116.211.96.166 | China | AS4134 Chinanet |
117.18.47.39 | Singapore | AS7473 Singapore Telecommunications Ltd |
117.21.164.6 | China | AS4134 Chinanet |
117.21.189.11 | China | AS4134 Chinanet |
117.25.128.209 | China | AS4134 Chinanet |
117.35.207.134 | China | AS4134 Chinanet |
117.42.74.5 | China | AS4134 Chinanet |
118.123.118.6 | China | AS38283 CHINANET SiChuan Telecom Internet Data Center |
119.134.253.5 | China | AS4134 Chinanet |
119.146.200.6 | China | AS4134 Chinanet |
119.147.149.135 | China | AS4134 Chinanet |
119.84.113.6 | China | AS4134 Chinanet |
119.84.119.102 | China | AS4134 Chinanet |
120.192.90.200 | China | AS24444 Shandong Mobile Communication Company Limited |
120.192.92.10 | China | AS24444 Shandong Mobile Communication Company Limited |
120.198.232.50 | China | AS56040 China Mobile communications corporation |
120.209.141.6 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
120.209.142.6 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
120.39.183.11 | China | AS4134 Chinanet |
121.11.92.134 | China | AS4134 Chinanet |
121.14.151.3 | China | AS4134 Chinanet |
121.14.228.6 | China | AS4134 Chinanet |
121.18.209.209 | China | AS4837 CNCGROUP China169 Backbone |
121.18.230.11 | China | AS4837 CNCGROUP China169 Backbone |
121.205.7.134 | China | AS4134 Chinanet |
121.61.118.10 | China | AS4134 Chinanet |
122.136.46.81 | China | AS4837 CNCGROUP China169 Backbone |
122.138.54.6 | China | AS4837 CNCGROUP China169 Backbone |
122.143.27.134 | China | AS4837 CNCGROUP China169 Backbone |
122.226.169.70 | China | AS4134 Chinanet |
122.226.180.198 | China | AS4134 Chinanet |
122.227.2.6 | China | AS4134 Chinanet |
122.228.228.135 | China | AS4134 Chinanet |
123.103.64.180 | China | AS4808 CNCGROUP IP network China169 Beijing Province Network |
124.163.221.6 | China | AS4837 CNCGROUP China169 Backbone |
124.202.166.6 | China | AS4808 CNCGROUP IP network China169 Beijing Province Network |
125.39.19.70 | China | AS4837 CNCGROUP China169 Backbone |
125.75.128.81 | China | AS4134 Chinanet |
14.17.98.6 | China | AS4134 Chinanet |
163.177.242.6 | China | AS17816 China Unicom IP network China169 Guangdong province |
171.111.152.6 | China | AS4134 Chinanet |
171.112.96.6 | China | AS4134 Chinanet |
182.118.15.6 | China | AS4837 CNCGROUP China169 Backbone |
182.118.73.10 | China | AS4837 CNCGROUP China169 Backbone |
182.140.130.10 | China | AS38283 CHINANET SiChuan Telecom Internet Data Center |
182.140.236.6 | China | AS38283 CHINANET SiChuan Telecom Internet Data Center |
182.86.197.6 | China | AS4134 Chinanet |
183.136.208.6 | China | AS4134 Chinanet |
183.136.229.134 | China | AS4134 Chinanet |
183.221.248.141 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
183.250.179.16 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
183.57.144.11 | China | AS4134 Chinanet |
183.60.232.10 | China | AS4134 Chinanet |
183.61.73.10 | China | AS4134 Chinanet |
183.63.155.10 | China | AS4134 Chinanet |
203.74.4.38 | Taiwan | AS3462 Data Communication Business Group |
209.170.78.66 | Sweden | AS1299 TeliaNet Global Network |
211.142.194.11 | China | AS24445 Henan Mobile Communications Co.,Ltd |
218.11.179.222 | China | AS4837 CNCGROUP China169 Backbone |
218.2.83.66 | China | AS4134 Chinanet |
218.59.144.70 | China | AS4837 CNCGROUP China169 Backbone |
218.59.209.6 | China | AS4837 CNCGROUP China169 Backbone |
218.61.27.10 | China | AS4837 CNCGROUP China169 Backbone |
218.75.140.134 | China | AS4134 Chinanet |
218.87.111.134 | China | AS4134 Chinanet |
219.138.135.197 | China | AS4134 Chinanet |
219.138.64.10 | China | AS4134 Chinanet |
219.139.190.180 | China | AS4134 Chinanet |
219.147.204.6 | China | AS4134 Chinanet |
219.153.52.6 | China | AS4134 Chinanet |
219.154.65.164 | China | AS4837 CNCGROUP China169 Backbone |
219.72.153.14 | China | AS18118 CITIC Networks Management Co.,Ltd. |
220.162.97.135 | China | AS4134 Chinanet |
220.165.142.6 | China | AS4134 Chinanet |
220.168.132.11 | China | AS4134 Chinanet |
220.194.200.173 | China | AS4837 CNCGROUP China169 Backbone |
221.10.4.6 | China | AS4837 CNCGROUP China169 Backbone |
222.138.229.57 | China | AS4837 CNCGROUP China169 Backbone |
222.140.155.6 | China | AS4837 CNCGROUP China169 Backbone |
222.174.239.10 | China | AS4134 Chinanet |
222.184.115.134 | China | AS4134 Chinanet |
222.186.128.134 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
222.186.130.6 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
222.186.17.6 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
222.186.18.6 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
222.216.188.10 | China | AS4134 Chinanet |
222.243.110.198 | China | AS4134 Chinanet |
222.88.91.134 | China | AS4134 Chinanet |
222.88.95.167 | China | AS4134 Chinanet |
223.85.134.6 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
223.87.1.50 | China | AS9808 Guangdong Mobile Communication Co.Ltd. |
27.24.213.140 | China | AS4134 Chinanet |
42.202.148.6 | China | AS4134 Chinanet |
58.215.139.68 | China | AS4134 Chinanet |
58.216.21.10 | China | AS4134 Chinanet |
58.216.22.10 | China | AS4134 Chinanet |
58.218.208.6 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
58.218.214.242 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
58.222.18.74 | China | AS4134 Chinanet |
58.242.249.12 | China | AS4837 CNCGROUP China169 Backbone |
58.51.95.135 | China | AS4134 Chinanet |
58.59.19.6 | China | AS4134 Chinanet |
58.61.152.234 | China | AS4134 Chinanet |
60.174.174.38 | China | AS4134 Chinanet |
60.18.155.32 | China | AS4837 CNCGROUP China169 Backbone |
60.19.65.201 | China | AS4837 CNCGROUP China169 Backbone |
60.191.196.198 | China | AS4134 Chinanet |
60.210.23.196 | China | AS4837 CNCGROUP China169 Backbone |
60.211.209.198 | China | AS4837 CNCGROUP China169 Backbone |
60.212.19.48 | China | AS4837 CNCGROUP China169 Backbone |
60.220.196.6 | China | AS4837 CNCGROUP China169 Backbone |
60.220.213.70 | China | AS4837 CNCGROUP China169 Backbone |
60.28.11.144 | China | AS4837 CNCGROUP China169 Backbone |
60.28.9.53 | China | AS4837 CNCGROUP China169 Backbone |
60.5.255.198 | China | AS4837 CNCGROUP China169 Backbone |
60.6.200.98 | China | AS4837 CNCGROUP China169 Backbone |
60.8.63.87 | China | AS4837 CNCGROUP China169 Backbone |
61.145.118.6 | China | AS4134 Chinanet |
61.147.89.24 | China | AS23650 AS Number for CHINANET jiangsu province backbone |
61.153.56.182 | China | AS4134 Chinanet |
61.157.124.20 | China | AS38283 CHINANET SiChuan Telecom Internet Data Center |
61.174.63.203 | China | AS4134 Chinanet |
61.188.191.10 | China | AS4134 Chinanet |
61.54.12.5 | China | AS4837 CNCGROUP China169 Backbone |
61.54.219.59 | China | AS4837 CNCGROUP China169 Backbone |
61.54.7.11 | China | AS4837 CNCGROUP China169 Backbone |
70.39.191.63 | United States | AS54994 Wangsu Science and Technology (US), Inc. |
ilineage2.ru
ReplyDeleteI just saw this happen tonight, all of the sudden over about 6 minutes, from about 250 different IPs, all except a few were from China, did a single lookup for whoami.akamai.net then left. We sinkholed this name so it doesn't resolve how it should. I prefer not to participate in such nonsense.
ReplyDeleteI've been getting similar for several days now. Seemingly normal Chinese internet users who think that our website is facebook, bejewelled, a bittorrent tracker, gaming stats servers etc. Its mostly steady traffic but there were a few serious spikes of 2k / min for 45minutes
ReplyDeleteOne theory is that its people using a VPN to get around great firewall and something is misconfigured.
For now I just return 444 but its becoming a problem.