Though I am hearing a lot of sounds about it being related to malware but evidence for that has yet to surface.
The first report I read about this was the following post on Spiceworks[1], where some people labeled this as an in -or out going DNS amplification attack. Since then I have heard from DNS admins from all over the world who where seeing similar traffic and rules they wrote to defend themselves against it.
I believe that this attack is also what was troubling some Linux PowerDNS[2] installs.
Amplification Attacks
When an attacker wants to take down a website or host it has different ways to do so. One of which is a Denial of Service (DOS) attack. One common form of attack is a DNS and since recently NTP Reflective Amplification Attacks. These attacks focus on flooding the internet pipe of the victim with useless traffic generated by open DNS/NTP servers on the web.
For these attacks to work an attacker needs -multiple- host with 1gbit uplinks and the ability to spoof source IPs on that AS and a list of good Open DNS/NTP servers.
A good open server is in this case a DNS or NTP server that is capable of sending a much larger response to a small request. For DNS one would search for DNS server supporting EDNS and for NTP servers that support the Monlist command.
The attack
The DNS based attack I have been observing does not require very high quality DNS servers, actually any open resolver will do.The attackers simply floods the open resolver(s) with non-existent sub-domains for a domain. This will require the resolver to query the DNS hierarchic and contact the authoritative name server for the domain. One can imagine the effects of hundreds, thousands or even millions of open resolvers contacting the same bunch of authoritative name servers with unique requests multiple times per second.
While writing this blog I observed lots of queries to *.www.0538hj.com. The name servers for this domains are:
;; QUESTION SECTION:
;0538hj.com. IN NS
;; ANSWER SECTION:
0538hj.com. 60345 IN NS dns11.hichina.com.
0538hj.com. 60345 IN NS dns12.hichina.com.
;; ADDITIONAL SECTION:
dns12.hichina.com. 84272 IN A 223.5.2.82
dns12.hichina.com. 84272 IN A 121.196.255.82
dns12.hichina.com. 84272 IN A 121.196.255.132
dns11.hichina.com. 84272 IN A 223.5.2.131
dns11.hichina.com. 84272 IN A 121.196.255.81
dns12.hichina.com. 84272 IN A 42.96.255.82
dns11.hichina.com. 84272 IN A 42.96.255.81
dns12.hichina.com. 84272 IN A 42.96.255.132
dns11.hichina.com. 84272 IN A 223.5.2.81
dns11.hichina.com. 84272 IN A 42.96.255.131
dns11.hichina.com. 84272 IN A 121.196.255.131
dns12.hichina.com. 84272 IN A 223.5.2.132
While this attack was ongoing it was very difficult to get a response from one of these servers. Goes to show how effective the attack is.
dig a 0538hj.com @dns11.hichina.com
;; global options: +cmd;; connection timed out; no servers could be reached
About 1 out of 8 queries seemed to get an answer.
The query rate was about 2 - 8 queries per second.
First!
My logs suggest I first started seeing these attacks on Febuary the 3th with domain: abpdesthvwxyz.gb41.com.
The following graph shows the amount of unique domain names this resolver has been seeing each day in February.
Normally this would only be about 10 a day as this server is not used in any legitimate way but participates only in DNS amp and receives some DNS scans. On days I have been seeing these attacks I have seen spikes as high as 16.000 unique domains.
Domains the method - Name Servers the targets
Over time I have seen a multitude of domains. Here are some of the bigger attacks I have seen. The count represent the amount of sub-domains I observed that day. As each sub domain is only requested once this is equal to the amount of IPs and requests.
Count Date Domain
103294 2014-02-11 .jn176.com
74525 2014-02-22 .sf123.com
69164 2014-02-13 .iidns.com
60176 2014-02-23 .sf123.com
49855 2014-02-21 .sf123.com
46308 2014-02-14 .567uu.com
46023 2014-02-11 .hcq99.com
41051 2014-02-22 .51pop.net
31899 2014-02-12 .gx911.com
30139 2014-02-11 .gx911.com
29984 2014-02-12 .999qp.net
28956 2014-02-19 .jd176.com
27736 2014-02-18 .269sf.com
27006 2014-02-10 .yinquanxuan.com
25780 2014-02-14 .iidns.com
25576 2014-02-15 .567uu.com
25417 2014-02-05 .139hg.com
22184 2014-02-23 .52ssff.com
20424 2014-02-15 .liehoo.net
19609 2014-02-11 .sf717.com
19525 2014-02-18 .chinahjfu.com
19452 2014-02-14 .369df.com
18496 2014-02-05 .hqsy120.com
18086 2014-02-18 .5kkx.com
17932 2014-02-23 .51pop.net
17257 2014-02-14 .love303.com
16617 2014-02-15 .cxmyy.com
16614 2014-02-15 .cc176.com
16380 2014-02-11 .999qp.net
16244 2014-02-15 .jdgaj.com
15977 2014-02-19 .bdhope.com
15316 2014-02-12 .hcq99.com
14808 2014-02-19 .seluoluo3.com
14675 2014-02-14 .422ko.com
14086 2014-02-19 .250hj.com
13900 2014-02-22 .5ipop.net
13477 2014-02-14 .lcjba.com
13415 2014-02-04 .wb123.com
13315 2014-02-23 .luse7.com
13079 2014-02-23 .luse8.com
Name servers:
The above domains use the following name servers and we can assume that during these attacks these name servers where very difficult to reach.
4 iidns.com.
3 hichina.com.
3 dnsabc-b.com.
2 dnsabc-g.com.
3 gfdns.net.
1 zndns.com.
1 51dns.com.
1 360wzb.com.
1.gfdns.net.
1 51dns.com.
1 domaincontrol.com.
1 dnspod.com.
Spoofed or not?
Each DNS query is received from a different IP-address. This suggest spoofing but not in the way it is used with reflective amplification attacks, to specify the target. Here it seems to be used to cloak the origin of these queries from the resolvers.
I keep track of a few values for each query that comes in. Among others its Time To Live (TTL), a value that is not often spoofed.
Count TTL
1074 234
2226 235
19106 236
53624 237
54193 238
107010 239
197934 240
234902 241
226965 242
322752 243
308978 244
239031 245
185288 246
158441 247
62255 248
23045 249
16 different TTLs not bad. Suggests it is from all over the globe. Until I noticed the following request for a domain matching this regex:
[a-z]\.www.luse[0-9]\.com\.
Two queries occurred within the same hours but its TTL was off by a lot:
ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.luse0.com ; count=1 ; qtype=A ; ttl=234
ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.luse6.com ; count=1 ; qtype=A ; ttl=247
13 hops difference, that could be the difference between a request from Europe or the US a change like that doesn't add up. I call that evidence of spoofing.
Detection
For me it is pretty easy to detect these attacks now that I know what to look for. But I am fortunate enough to have very little legit traffic so this malicious traffic stands out nicely. When running a (very) large resolver for a network it will be more difficult to spot, let alone block.
Characteristics
So far I have only seen queries for:
- All queries are for A records
- No OPT resource record in query
- One label is randomized
-The random sub-domain contains only chars a-z
- Random sub-domain label length is between: 1 <> 16
Remedy
Automatically flagging of these domains might result in false positive. So until a characteristic is found that can be used to isolate this traffic more specifically it will be mainly manual labor to maintain blacklists.One way of dropping this traffic would be by using the IPtables strings module:
iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|056c7573653003636f6d00|' -j DROP -m comment --comment "DROP DNS Q luse0.com"
An employee of Secure64 pointed me to their blog about the subject:
https://blog.secure64.com/?p=377
References:
[1] - http://community.spiceworks.com/topic/441721-what-does-a-dns-amplification-ddos-attack-look-like
[2] - http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
