If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x0d4d4152 && 0x2c&0xDFDFDFDF=0x55534941 && 0x30&0xDFDFDFDF=0x41545441 && 0x34&0xDFDFFFDF=0x434b0250 && 0x38&0xDFFF0000=0x57000000" -j DROP -m comment --comment "DROP DNS Q marusiaattack.pw"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|0D6d61727573696161747461636b02707700|' -j DROP -m comment --comment "DROP DNS Q marusiaattack.pw"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
marusiaattack.pw. 21600 IN NS ns1.reg.ru.
marusiaattack.pw. 21600 IN NS ns2.reg.ru.
Response:
A 242
NS 2
SOA 1
Rsize 3979
Whois
This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/
Domain ID:CNIC-DO1656911
Domain Name:MARUSIAATTACK.PW
Created On:2013-11-28T23:27:45.0Z
Last Updated On:2013-11-28T23:27:46.0Z
Expiration Date:2014-11-28T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:ADD PERIOD
Registrant ID:H4516280
Registrant Name:Magamed Ishakov
Registrant Organization:Private Person
Registrant Street1:fonar d 81 kv 188
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:119484
Registrant Country:RU
Registrant Phone:+7.9264756756
Registrant Email:webmaster@search-alles.us
Admin ID:H4516283
Admin Name:Magamed Ishakov
Admin Organization:Private Person
Admin Street1:fonar d 81 kv 188
Admin City:Moscow
Admin State/Province:Moscow
Admin Postal Code:119484
Admin Country:RU
Admin Phone:+7.9264756756
Admin Email:webmaster@search-alles.us
Tech ID:H4516286
Tech Name:Magamed Ishakov
Tech Organization:Private Person
Tech Street1:fonar d 81 kv 188
Tech City:Moscow
Tech State/Province:Moscow
Tech Postal Code:119484
Tech Country:RU
Tech Phone:+7.9264756756
Tech Email:webmaster@search-alles.us
Billing ID:H4516289
Billing Name:Magamed Ishakov
Billing Organization:Private Person
Billing Street1:fonar d 81 kv 188
Billing City:Moscow
Billing State/Province:Moscow
Billing Postal Code:119484
Billing Country:RU
Billing Phone:+7.9264756756
Billing Email:webmaster@search-alles.us
Sponsoring Registrar ID:H2440764
Sponsoring Registrar IANA ID:1606
Sponsoring Registrar Organization:Registrar of Domain Names REG.RU, LLC
Sponsoring Registrar Street1:Office 326, House 3 Vasily Petushkov Street
Sponsoring Registrar City:Moscow
Sponsoring Registrar Postal Code:125476
Sponsoring Registrar Country:RU
Sponsoring Registrar Phone:+74955801111
Sponsoring Registrar FAX:+74954915553
Sponsoring Registrar Website:http://www.reg.ru/
Name Server:NS1.REG.RU
Name Server:NS2.REG.RU
DNSSEC:Unsigned
No comments:
Post a Comment