Sunday, December 22, 2013

Domain: amp.crack-zone.ru

Domain: amp.crack-zone.ru

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


IPtables:


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03414d50 && 0x2c&0xFFDFDFDF=0x0a435241 && 0x30&0xDFDFFFDF=0x434b2d5a && 0x34&0xDFDFDFFF=0x4f4e4502 && 0x38&0xDFDFFF00=0x52550000" -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03616d700A637261636b2d7a6f6e6502727500|' -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"
More Iptables rules for the STRING module can be found here:


https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


94.102.51.228

Name server:

;; ANSWER SECTION:
crack-zone.ru.          51518   IN      NS      jim.ns.cloudflare.com.
crack-zone.ru.          51518   IN      NS      fay.ns.cloudflare.com.

;; ADDITIONAL SECTION:
fay.ns.cloudflare.com.  72548   IN      A       173.245.58.115
jim.ns.cloudflare.com.  85943   IN      A       173.245.59.125
jim.ns.cloudflare.com.  85943   IN      AAAA    2400:cb00:2049:1::adf5:3b7d
fay.ns.cloudflare.com.  72548   IN      AAAA    2400:cb00:2049:1::adf5:3a73

Response:


TXT 3
Rsize 9226


Whois

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        CRACK-ZONE.RU
nserver:       fay.ns.cloudflare.com.
nserver:       jim.ns.cloudflare.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2013.06.22
paid-till:     2014.06.22
free-date:     2014.07.23
source:        TCI





3 comments:

  1. You all should watch the IP: 217.12.199.205 which points to xsrv.net.
    I had to block the IP because of being ddosed from this IP on four servers on port 53.

    ReplyDelete
  2. Can anyone confirm this?
    Attacks from 66.29.212.73 on the domains google.com and iana.org. Request "ANY".
    66.29.212.73 points to host73.212.29.66.static.maximumasp.com
    Domain Name: MAXIMUMASP.COM
    Registrar: TUCOWS DOMAINS INC.
    Whois Server: whois.tucows.com
    Referral URL: http://domainhelp.opensrs.net
    Name Server: NS1.MAXIMUMASP.COM
    Name Server: NS2.MAXIMUMASP.COM
    Status: ok
    Updated Date: 07-may-2013
    Creation Date: 05-jun-2000
    Expiration Date: 05-jun-2014

    Successfully stopped it by using hex string because I don#t know how to make it work with module u32

    # google.com ANY
    iptables -I INPUT -p udp -m string --hex-string "|0000000006676f6f676c6503636f6d00|" --algo bm --dport 53 -j DROP

    # iana.org ANY
    iptables -I INPUT -p udp -m string --hex-string "|000000000469616e61036f72670000ff|" --algo bm --dport 53 -j DROP

    It would be nice if the maintainer of this blog would answer. Thanks in advance

    ReplyDelete
  3. It goes on and on...
    Again new attack...

    Domain: nrc.gov

    Response:
    ANY

    IP: 125.139.223.250

    canonical name -
    aliases
    addresses 125.139.223.250

    % Information related to '125.128.0.0 - 125.159.255.255'

    inetnum: 125.128.0.0 - 125.159.255.255
    netname: KORNET
    descr: Korea Telecom
    descr: Network Management Center
    country: KR
    admin-c: IM76-AP
    tech-c: IM76-AP
    descr: ************************************************
    descr: Allocated to KRNIC Member.
    descr: If you would like to find assignment
    descr: information in detail please refer to
    descr: the KRNIC Whois Database at:
    descr: "http://whois.nic.or.kr/english/index.html"
    descr: ************************************************
    status: Allocated Portable
    mnt-by: MNT-KRNIC-AP
    mnt-lower: MNT-KRNIC-AP
    changed: hm-changed@apnic.net 20050822
    source: APNIC

    person: IP Manager
    nic-hdl: IM76-AP
    e-mail: kornet_ip@kt.com
    address: Seoul
    address: 206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do
    address: 463-711
    phone: +82-2-500-6630
    fax-no: +82-2-3674-5721
    country: KR
    changed: hostmaster@nic.or.kr 20111229
    mnt-by: MNT-KRNIC-AP
    source: APNIC

    Stopped it with string module...
    # nrc.gov ANY
    iptables -I INPUT -p udp -m string --hex-string "|00000001036e726303676f760000ff00|" --algo bm --dport 53 -j DROP

    ReplyDelete