If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04455248 && 0x2c&0xDFFFDFDF=0x4a025057 && 0x30&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q erhj.pw"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 49 --algo bm --hex-string '|046572686a02707700|' -j DROP -m comment --comment "DROP DNS Q erhj.pw"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
81.17.130.54 - Ecatel
Name server:
;; ANSWER SECTION:
erhj.pw. 3600 IN NS ns1.h1.artplanet.su.
erhj.pw. 3600 IN NS ns2.h1.artplanet.su.
Response:
A 243
MX 2
NS 2
SOA 1
TXT 1
Rsize 4073
Whois
This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/
Domain ID:CNIC-DO1680644
Domain Name:ERHJ.PW
Created On:2013-12-08T13:18:20.0Z
Last Updated On:2013-12-13T13:27:10.0Z
Expiration Date:2014-12-08T23:59:59.0Z
Status:TRANSFER PROHIBITED
Registrant ID:H280468
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant City:Nobby Beach
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Email:contact@privacyprotect.org
Admin ID:H280468
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin City:Nobby Beach
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
Admin Email:contact@privacyprotect.org
Tech ID:H280468
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:ID#10760, PO Box 16
Tech Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Tech City:Nobby Beach
Tech Postal Code:QLD 4218
Tech Country:AU
Tech Phone:+45.36946676
Tech Email:contact@privacyprotect.org
Billing ID:H280468
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:ID#10760, PO Box 16
Billing Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Billing City:Nobby Beach
Billing Postal Code:QLD 4218
Billing Country:AU
Billing Phone:+45.36946676
Billing Email:contact@privacyprotect.org
Sponsoring Registrar ID:H2834038
Sponsoring Registrar IANA ID:1111
Sponsoring Registrar Organization:DomainContext Inc.
Sponsoring Registrar Street1:501 Silverside Road
Sponsoring Registrar Street2:Suite 105
Sponsoring Registrar City:Wilmington
Sponsoring Registrar State/Province:DE
Sponsoring Registrar Postal Code:19809
Sponsoring Registrar Country:US
Sponsoring Registrar Phone:+1 302 4427322
Sponsoring Registrar FAX:+1 302 4427337
Sponsoring Registrar Website:http://www.domaincontext.com
Name Server:NS2.H1.ARTPLANET.SU
Name Server:NS1.H1.ARTPLANET.SU
DNSSEC:Unsigned
No comments:
Post a Comment