Thursday, December 5, 2013

A Who-Am-I from China


Today I found the domain "whoami.akamai.com" in my log files. After concluding that there was no amplification in there, I looked at who requested this domain. Normally there is one request for these 'new'  domains. ( mostly an Ecatel IP ) But not today, over a hundred different IPs scrolled by..

The queries were also performed with only the Recursion Desired bit set, no eDNS as I usually see.

Most IPs only requested the domain once.. but why this domain? The IPs are scatered over a few AS-es:

     71  AS4134 Chinanet
     40  AS4837 CNCGROUP China169 Backbone
      7  AS23650 AS Number for CHINANET jiangsu province backbone
      6  AS9808 Guangdong Mobile Communication Co.Ltd.
      4  AS38283 CHINANET SiChuan Telecom Internet Data Center
      3  AS17816 China Unicom IP network China169 Guangdong province
      2  AS4812 China Telecom (Group)
      2  AS4808 CNCGROUP IP network China169 Beijing Province Network
      2  AS24444 Shandong Mobile Communication Company Limited
      1  AS7473 Singapore Telecommunications Ltd
      1  AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh.
      1  AS56046 China Mobile communications corporation
      1  AS56040 China Mobile communications corporation
      1  AS54994 Wangsu Science and Technology (US), Inc.
      1  AS4538 China Education and Research Network Center
      1  AS3462 Data Communication Business Group
      1  AS24445 Henan Mobile Communications Co.,Ltd
      1  AS18118 CITIC Networks Management Co.,Ltd.
      1  AS1299 TeliaNet Global Network

A few IPs have rDNS set:

112.117.216.6 - 6.216.117.112.broad.km.yn.dynamic.163data.com.cn.
121.205.7.134 - 134.7.205.121.broad.qz.fj.dynamic.163data.com.cn.
122.136.46.81 - 81.46.136.122.adsl-pool.jlccptt.net.cn.
122.138.54.6 - 6.54.138.122.adsl-pool.jlccptt.net.cn.
122.143.27.134 - 134.27.143.122.adsl-pool.jlccptt.net.cn.
123.103.64.180 - 123.103.64.180-BJ-CNC.
124.163.221.6 - 6.221.163.124.adsl-pool.sx.cn.
125.75.128.81 - 81.128.125.75.gs.dynamic.163data.com.cn.
182.118.15.6 - hn.kd.ny.adsl.
182.118.73.10 - hn.kd.ny.adsl.
219.153.52.6 - 6.52.153.219.broad.cq.cq.dynamic.163data.com.cn.
219.154.65.164 - hn.kd.jz.adsl.
220.165.142.6 - 6.142.165.220.broad.cx.yn.dynamic.163data.com.cn.
222.138.229.57 - hn.kd.ny.adsl.
222.140.155.6 - hn.kd.dhcp.
60.220.196.6 - 6.196.220.60.adsl-pool.sx.cn.
60.220.213.70 - 70.213.220.60.adsl-pool.sx.cn.
61.157.124.20 - 20.124.157.61.dial.zy.sc.dynamic.163data.com.cn.
61.188.191.10 - 10.191.188.61.broad.nc.sc.dynamic.163data.com.cn.
61.54.12.5 - hn.kd.dhcp.
61.54.219.59 - hn.kd.dhcp.
61.54.7.11 - hn.kd.dhcp.

Dhcp, dynamic - sound like home connections. Botnet?

WhoAmI.akamai.com

As it turns out this sub domain is something special.
The A record response for this domain is the IP from which the request come from. So if you run a local DNS server you will have your (WAN) IP returned. When using a remove DNS server, that IP will be returned. In case of a chain of forwarding DNS servers, the IP of that last one in the chain will be returned.


Google Public DNS:

dig whoami.akamai.com @8.8.8.8

....
;; ANSWER SECTION:

whoami.akamai.net.      94      IN      A       74.125.17.147

My query was forwarded to 74.125.17.147 by Google. For load balancing purposes I guess. Perhaps using eDNS +client.

But why request this domain from every open DNS server in the world?

The people behind this scan can see the difference in 'open DNS servers' if it is a 'open resolver' or an 'open forwarder'.  Perhaps this makes a significant difference when performing DNS amplification attacks.. perhaps it is just nice to know.

When the responses to these queries are properly logged on could  generate a real nice graph of what open forwarders hide behind what open resolvers... I want that graph now!!

I am assuming there are a lot more open forwarders than there are open resolver. But I have no stats on that matter. Perhaps this was a small botnet making these requests.. but why request it so many times as the queries are almost all from China it cannot be related to Geo diversity. Pretty confusing.

If anyone has any idea about this all.. Let me know!


 Observed source IPs:


IP Country ISP
101.227.66.136   China   AS4812 China Telecom (Group)
101.26.37.10   China   AS4837 CNCGROUP China169 Backbone
103.5.124.133   Cambodia   AS58424 #3BEo, Sangkat Beoun Prolit, Khan 7Makara, Phnom Penh.
110.18.244.134   China   AS4837 CNCGROUP China169 Backbone
110.18.246.6   China   AS4837 CNCGROUP China169 Backbone
112.117.216.6   China   AS4134 Chinanet
112.25.35.36   China   AS56046 China Mobile communications corporation
112.253.38.28   China   AS4837 CNCGROUP China169 Backbone
112.84.252.131   China   AS4837 CNCGROUP China169 Backbone
112.90.246.6   China   AS17816 China Unicom IP network China169 Guangdong province
112.91.29.6   China   AS17816 China Unicom IP network China169 Guangdong province
113.107.56.10   China   AS4134 Chinanet
113.107.89.134   China   AS4134 Chinanet
113.17.140.154   China   AS4134 Chinanet
113.207.63.136   China   AS4837 CNCGROUP China169 Backbone
114.80.143.152   China   AS4812 China Telecom (Group)
115.156.188.141  China   AS4538 China Education and Research Network Center
115.231.84.10   China   AS4134 Chinanet
115.238.245.134  China   AS4134 Chinanet
116.10.190.10   China   AS4134 Chinanet
116.211.96.166   China   AS4134 Chinanet
117.18.47.39   Singapore   AS7473 Singapore Telecommunications Ltd
117.21.164.6   China   AS4134 Chinanet
117.21.189.11   China   AS4134 Chinanet
117.25.128.209   China   AS4134 Chinanet
117.35.207.134   China   AS4134 Chinanet
117.42.74.5   China   AS4134 Chinanet
118.123.118.6   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
119.134.253.5   China   AS4134 Chinanet
119.146.200.6   China   AS4134 Chinanet
119.147.149.135  China   AS4134 Chinanet
119.84.113.6   China   AS4134 Chinanet
119.84.119.102   China   AS4134 Chinanet
120.192.90.200   China   AS24444 Shandong Mobile Communication Company Limited
120.192.92.10   China   AS24444 Shandong Mobile Communication Company Limited
120.198.232.50   China   AS56040 China Mobile communications corporation
120.209.141.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
120.209.142.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
120.39.183.11   China   AS4134 Chinanet
121.11.92.134   China   AS4134 Chinanet
121.14.151.3   China   AS4134 Chinanet
121.14.228.6   China   AS4134 Chinanet
121.18.209.209   China   AS4837 CNCGROUP China169 Backbone
121.18.230.11   China   AS4837 CNCGROUP China169 Backbone
121.205.7.134   China   AS4134 Chinanet
121.61.118.10   China   AS4134 Chinanet
122.136.46.81   China   AS4837 CNCGROUP China169 Backbone
122.138.54.6   China   AS4837 CNCGROUP China169 Backbone
122.143.27.134   China   AS4837 CNCGROUP China169 Backbone
122.226.169.70   China   AS4134 Chinanet
122.226.180.198  China   AS4134 Chinanet
122.227.2.6   China   AS4134 Chinanet
122.228.228.135  China   AS4134 Chinanet
123.103.64.180   China   AS4808 CNCGROUP IP network China169 Beijing Province Network
124.163.221.6   China   AS4837 CNCGROUP China169 Backbone
124.202.166.6   China   AS4808 CNCGROUP IP network China169 Beijing Province Network
125.39.19.70   China   AS4837 CNCGROUP China169 Backbone
125.75.128.81   China   AS4134 Chinanet
14.17.98.6   China   AS4134 Chinanet
163.177.242.6   China   AS17816 China Unicom IP network China169 Guangdong province
171.111.152.6   China   AS4134 Chinanet
171.112.96.6   China   AS4134 Chinanet
182.118.15.6   China   AS4837 CNCGROUP China169 Backbone
182.118.73.10   China   AS4837 CNCGROUP China169 Backbone
182.140.130.10   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
182.140.236.6   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
182.86.197.6   China   AS4134 Chinanet
183.136.208.6   China   AS4134 Chinanet
183.136.229.134  China   AS4134 Chinanet
183.221.248.141  China   AS9808 Guangdong Mobile Communication Co.Ltd.
183.250.179.16   China   AS9808 Guangdong Mobile Communication Co.Ltd.
183.57.144.11   China   AS4134 Chinanet
183.60.232.10   China   AS4134 Chinanet
183.61.73.10   China   AS4134 Chinanet
183.63.155.10   China   AS4134 Chinanet
203.74.4.38   Taiwan   AS3462 Data Communication Business Group
209.170.78.66   Sweden   AS1299 TeliaNet Global Network
211.142.194.11   China   AS24445 Henan Mobile Communications Co.,Ltd
218.11.179.222   China   AS4837 CNCGROUP China169 Backbone
218.2.83.66   China   AS4134 Chinanet
218.59.144.70   China   AS4837 CNCGROUP China169 Backbone
218.59.209.6   China   AS4837 CNCGROUP China169 Backbone
218.61.27.10   China   AS4837 CNCGROUP China169 Backbone
218.75.140.134   China   AS4134 Chinanet
218.87.111.134   China   AS4134 Chinanet
219.138.135.197  China   AS4134 Chinanet
219.138.64.10   China   AS4134 Chinanet
219.139.190.180  China   AS4134 Chinanet
219.147.204.6   China   AS4134 Chinanet
219.153.52.6   China   AS4134 Chinanet
219.154.65.164   China   AS4837 CNCGROUP China169 Backbone
219.72.153.14   China   AS18118 CITIC Networks Management Co.,Ltd.
220.162.97.135   China   AS4134 Chinanet
220.165.142.6   China   AS4134 Chinanet
220.168.132.11   China   AS4134 Chinanet
220.194.200.173  China   AS4837 CNCGROUP China169 Backbone
221.10.4.6   China   AS4837 CNCGROUP China169 Backbone
222.138.229.57   China   AS4837 CNCGROUP China169 Backbone
222.140.155.6   China   AS4837 CNCGROUP China169 Backbone
222.174.239.10   China   AS4134 Chinanet
222.184.115.134  China   AS4134 Chinanet
222.186.128.134  China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.130.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.17.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.186.18.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
222.216.188.10   China   AS4134 Chinanet
222.243.110.198  China   AS4134 Chinanet
222.88.91.134   China   AS4134 Chinanet
222.88.95.167   China   AS4134 Chinanet
223.85.134.6   China   AS9808 Guangdong Mobile Communication Co.Ltd.
223.87.1.50   China   AS9808 Guangdong Mobile Communication Co.Ltd.
27.24.213.140   China   AS4134 Chinanet
42.202.148.6   China   AS4134 Chinanet
58.215.139.68   China   AS4134 Chinanet
58.216.21.10   China   AS4134 Chinanet
58.216.22.10   China   AS4134 Chinanet
58.218.208.6   China   AS23650 AS Number for CHINANET jiangsu province backbone
58.218.214.242  China   AS23650 AS Number for CHINANET jiangsu province backbone
58.222.18.74   China   AS4134 Chinanet
58.242.249.12   China   AS4837 CNCGROUP China169 Backbone
58.51.95.135   China   AS4134 Chinanet
58.59.19.6   China   AS4134 Chinanet
58.61.152.234   China   AS4134 Chinanet
60.174.174.38   China   AS4134 Chinanet
60.18.155.32   China   AS4837 CNCGROUP China169 Backbone
60.19.65.201   China   AS4837 CNCGROUP China169 Backbone
60.191.196.198  China   AS4134 Chinanet
60.210.23.196   China   AS4837 CNCGROUP China169 Backbone
60.211.209.198  China   AS4837 CNCGROUP China169 Backbone
60.212.19.48   China   AS4837 CNCGROUP China169 Backbone
60.220.196.6   China   AS4837 CNCGROUP China169 Backbone
60.220.213.70   China   AS4837 CNCGROUP China169 Backbone
60.28.11.144   China   AS4837 CNCGROUP China169 Backbone
60.28.9.53   China   AS4837 CNCGROUP China169 Backbone
60.5.255.198   China   AS4837 CNCGROUP China169 Backbone
60.6.200.98   China   AS4837 CNCGROUP China169 Backbone
60.8.63.87   China   AS4837 CNCGROUP China169 Backbone
61.145.118.6   China   AS4134 Chinanet
61.147.89.24   China   AS23650 AS Number for CHINANET jiangsu province backbone
61.153.56.182   China   AS4134 Chinanet
61.157.124.20   China   AS38283 CHINANET SiChuan Telecom Internet Data Center
61.174.63.203   China   AS4134 Chinanet
61.188.191.10   China   AS4134 Chinanet
61.54.12.5   China   AS4837 CNCGROUP China169 Backbone
61.54.219.59   China   AS4837 CNCGROUP China169 Backbone
61.54.7.11   China   AS4837 CNCGROUP China169 Backbone
70.39.191.63   United States   AS54994 Wangsu Science and Technology (US), Inc.

3 comments:

  1. I just saw this happen tonight, all of the sudden over about 6 minutes, from about 250 different IPs, all except a few were from China, did a single lookup for whoami.akamai.net then left. We sinkholed this name so it doesn't resolve how it should. I prefer not to participate in such nonsense.

    ReplyDelete
  2. I've been getting similar for several days now. Seemingly normal Chinese internet users who think that our website is facebook, bejewelled, a bittorrent tracker, gaming stats servers etc. Its mostly steady traffic but there were a few serious spikes of 2k / min for 45minutes

    One theory is that its people using a VPN to get around great firewall and something is misconfigured.

    For now I just return 444 but its becoming a problem.

    ReplyDelete