Wednesday, January 8, 2014

Domain: Zong.Zong.Co.Ua


If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x045a4f4e && 0x2c&0xDFFFDFDF=0x47045a4f && 0x30&0xDFDFFFDF=0x4e470243 && 0x34&0xDFFFDFDF=0x4f025541 && 0x38&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q"

More U32 rules can be found here:

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|047a6f6e67047a6f6e6702636f02756100|' -j DROP -m comment --comment "DROP DNS Q"
More Iptables rules for the STRING module can be found here:


No IP source for this domain

Name server:             86400   IN      NS             86400   IN      NS


A 242
Rsize 3905


Domain ID:589099_COUA-DRS
Domain Name:ZONG.CO.UA
Created On:07-Jan-2014 14:31:16 UTC
Last Updated On:07-Jan-2014 14:31:16 UTC
Expiration Date:07-Jan-2015 14:31:16 UTC
Sponsoring Registrar:Reg RU (reg-ru-mnt-cunic)
Registrant ID:O8402055-CUNIC
Registrant Name:<not disclosed>
Registrant Organization:Private Person
Registrant Street1:<not disclosed>
Registrant Street2:<not disclosed>
Registrant Street3:<not disclosed>
Registrant City:<not disclosed>
Registrant State/Province:<not disclosed>
Registrant Postal Code:<not disclosed>
Registrant Country:<not disclosed>
Registrant Phone:+61.420500569
Registrant Fax:
Admin ID:A8402055-CUNIC
Admin Name:<not disclosed>
Admin Organization:Private Person
Admin Street1:<not disclosed>
Admin Street2:<not disclosed>
Admin Street3:<not disclosed>
Admin City:<not disclosed>
Admin State/Province:<not disclosed>
Admin Postal Code:<not disclosed>
Admin Country:<not disclosed>
Admin Phone:+61.420500569
Admin Fax:
Billing ID:B8402055-CUNIC
Billing Name:<not disclosed>
Billing Organization:Private Person
Billing Street1:<not disclosed>
Billing Street2:<not disclosed>
Billing Street3:<not disclosed>
Billing City:<not disclosed>
Billing State/Province:<not disclosed>
Billing Postal Code:<not disclosed>
Billing Country:<not disclosed>
Billing Phone:+61.420500569
Billing Fax:
Tech ID:T8402055-CUNIC
Tech Name:<not disclosed>
Tech Organization:Private Person
Tech Street1:<not disclosed>
Tech Street2:<not disclosed>
Tech Street3:<not disclosed>
Tech City:<not disclosed>
Tech State/Province:<not disclosed>
Tech Postal Code:<not disclosed>
Tech Country:<not disclosed>
Tech Phone:+61.420500569
Tech Fax:
Name Server:NS2.REG.RU
Name Server:NS1.REG.RU


  1. G_G you typed my domain wrong xD

    1. Me sorry, fixxed it now. Guess this is you then:

  2. Quite often the blog seems to update before sourceforge and the automated scripts?

  3. Seeing there:

  4. New facked domain |08666b666b666b666102636f02756b00|

  5. so is traffic being sent "to" this Zong.Co.Ua domain or "From"?

    The reason for asking is I cant actually see it when I type it into my browser.

  6. This rule is wrong, it doesn't block the attack:
    20-Jan-2014 10:03:24.854 queries: info: client query: IN ANY +E (
    20-Jan-2014 10:03:24.953 queries: info: client query: IN ANY +E (
    20-Jan-2014 10:03:25.245 queries: info: client query: IN ANY +E (
    20-Jan-2014 10:03:25.568 queries: info: client query: IN ANY +E (
    20-Jan-2014 10:03:25.939 queries: info: client query: IN ANY +E (

  7. new attacker doamin =>

  8. iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|646f6e67047a6f6e6702636f027561|' -j DROP -m comment --comment "DROP DNS Q"

    This would fix it for dong...

  9. Hello, you can block using this:
    iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 57 --algo bm --hex-string '|04646f6e67047a6f6e6702636f027561|' -j DROP -m comment --comment "DROP DNS Q"

  10. Once a domain expires one of two things will happen. Firstly the domain will expire and become available to register as a domain name through the normal registration process. If the domain has any value then it is likely to be picked up by a name drop registrar.

    Before we go deeper into the world of dropped names you may want to know what an expired domain name is and how you go about getting hold of an expired domain name.

    You may have noticed that your registrar offers a back ordering service. A Back order service allows you to pay your domain registrar to try and acquire a specific domain name once it expires.

    There are drop registrars whose sole purpose is to try and register a domain name once it has dropped. These expired domain name catchers work on behalf of individuals and other domain registrars to acquire domain names on their behalf.

    Expired domains are a big business as webmasters and large corporations try to grab as many valuable domains as they drop. The reason for this virtual land grab is that many domain names can fetch high resale prices on the open market or have valuable existing traffic or type in traffic potential.

    expired domains