tag:blogger.com,1999:blog-8623811450826211059.post2303004723776064731..comments2022-10-26T06:35:08.831-07:00Comments on DNS Amplification Attacks Observer: Domain: aa3247.comdnsamplificationattackshttp://www.blogger.com/profile/01320145168822507091noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-8623811450826211059.post-63509528540922088062013-11-01T04:36:06.874-07:002013-11-01T04:36:06.874-07:00I'm pretty sure that you must be running a DNS...I'm pretty sure that you must be running a DNS server on that windows host. If you see queries, then you are participating in these attacks, if you see responses you are the victim of a attack.dnsamplificationattackshttps://www.blogger.com/profile/01320145168822507091noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-76257927437917582712013-11-01T04:35:21.969-07:002013-11-01T04:35:21.969-07:00Are you sure you are not just running a DNS Server...Are you sure you are not just running a DNS Server on the computer? If you see queries, you are particicpating, if you see responses you are being ddos-ed.dnsamplificationattackshttps://www.blogger.com/profile/01320145168822507091noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-30619614061718844402013-10-30T17:00:55.258-07:002013-10-30T17:00:55.258-07:00I have a windows HOST that seems to be making DNS ...I have a windows HOST that seems to be making DNS requests for aa3247.com. Catching it outbound on firewall. Working to isolate the process. Any thoughts on how one might go about that? Using procmon does not contain the content of the udp packet, packet sniff can't tell me the pid. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-43895582533061390822013-10-30T16:53:39.668-07:002013-10-30T16:53:39.668-07:00Seeing this as well. any idea if the process is i...Seeing this as well. any idea if the process is identified? Tried scanning with a couple tools, but no positive yet.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-50178791626926624042013-10-13T17:03:46.865-07:002013-10-13T17:03:46.865-07:00122.136.196.116:10770 is creeping to my router122.136.196.116:10770 is creeping to my routerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-48830396467974275082013-09-27T16:24:49.816-07:002013-09-27T16:24:49.816-07:00aa3247.com has a large size A records...My DNS Ser...aa3247.com has a large size A records...My DNS Server receive requests from 122.136.196.117..But,It doesn't sequencely requests aa3247.com..Anonymoushttps://www.blogger.com/profile/02732087023090320310noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-5326510884704796222013-09-26T19:31:42.507-07:002013-09-26T19:31:42.507-07:00I am also seeing DNS lookups for this record comin...I am also seeing DNS lookups for this record coming from 122.136.196.117 it repeats for a few minutes, then stops, then comes back again hours later.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-58915883418419214572013-09-26T05:56:57.648-07:002013-09-26T05:56:57.648-07:00Do you have a sample of the malware? If you do, wo...Do you have a sample of the malware? If you do, would you be so kind to send it to my email?<br /><br />That is a surprisingly large amount of data...dnsamplificationattackshttps://www.blogger.com/profile/01320145168822507091noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-25276196735252358122013-09-26T05:52:34.309-07:002013-09-26T05:52:34.309-07:00Think this is related to some virus. I see a compr...Think this is related to some virus. I see a compromised computer sending ICMP packets with the url aa3247.com in the data. The packets are being sent to 122.136.196.116. This computer already received 10gb (maybe 18gb total) in the past few days.Anonymousnoreply@blogger.com