Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Report of spike in DNS Queries gd21.net

Published: 2012-07-24
Last Updated: 2012-07-24 19:34:51 UTC
by Richard Porter (Version: 2)
16 comment(s)

A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.

Here is a snip from logs, slightly edited.

 

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E

** used with permission **

gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links


Is anyone else seeing this? If so could you report it?

 

UPDATE:

Starting to look like reflective amplified DOS. If you are seeing this let us know.

 

leslie-2:~ packetalien$ dig gd21.net txt

;; Truncated, retrying in TCP mode.

 

; <<>> DiG 9.7.3-P3 <<>> gd21.net txt

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18617

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 2, ADDITIONAL: 0

 

;; QUESTION SECTION:

;gd21.net.                      IN      TXT

 

;; ANSWER SECTION:

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.119 ip4:211.236.180.120 ip4:211.236.180.121 ip4:211.236.180.122 ip4:211.236.180.123 ip4:211.236.180.124 ip4:211.236.180.125 ip4:211.236.180.126 ip4:211.236.180.127 ip4:211.236.180.128 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.118 ip4:211.236.180.40 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.9 ip4:211.236.180.10 ip4:211.236.180.11 ip4:211.236.180.12 ip4:211.236.180.13 ip4:211.236.180.14 ip4:211.236.180.15 ip4:211.236.180.16 ip4:211.236.180.17 ip4:211.236.180.18 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.19 ip4:211.236.180.20 ip4:211.236.180.21 ip4:211.236.180.22 ip4:211.236.180.23 ip4:211.236.180.24 ip4:211.236.180.25 ip4:211.236.180.26 ip4:211.236.180.27 ip4:211.236.180.28 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.29 ip4:211.236.180.30 ip4:211.236.180.31 ip4:211.236.180.32 ip4:211.236.180.33 ip4:211.236.180.34 ip4:211.236.180.35 ip4:211.236.180.36 ip4:211.236.180.37 ip4:211.236.180.38 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.39 ip4:211.236.180.40 ip4:211.236.180.41 ip4:211.236.180.42 ip4:211.236.180.43 ip4:211.236.180.44 ip4:211.236.180.45 ip4:211.236.180.46 ip4:211.236.180.47 ip4:211.236.180.48 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.49 ip4:211.236.180.50 ip4:211.236.180.51 ip4:211.236.180.52 ip4:211.236.180.53 ip4:211.236.180.54 ip4:211.236.180.55 ip4:211.236.180.56 ip4:211.236.180.57 ip4:211.236.180.58 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.59 ip4:211.236.180.60 ip4:211.236.180.61 ip4:211.236.180.62 ip4:211.236.180.63 ip4:211.236.180.64 ip4:211.236.180.65 ip4:211.236.180.66 ip4:211.236.180.67 ip4:211.236.180.68 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.69 ip4:211.236.180.70 ip4:211.236.180.71 ip4:211.236.180.72 ip4:211.236.180.73 ip4:211.236.180.74 ip4:211.236.180.75 ip4:211.236.180.76 ip4:211.236.180.77 ip4:211.236.180.78 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.79 ip4:211.236.180.80 ip4:211.236.180.81 ip4:211.236.180.82 ip4:211.236.180.83 ip4:211.236.180.84 ip4:211.236.180.85 ip4:211.236.180.86 ip4:211.236.180.87 ip4:211.236.180.88 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.89 ip4:211.236.180.90 ip4:211.236.180.91 ip4:211.236.180.92 ip4:211.236.180.93 ip4:211.236.180.94 ip4:211.236.180.95 ip4:211.236.180.96 ip4:211.236.180.97 ip4:211.236.180.98 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.99 ip4:211.236.180.100 ip4:211.236.180.101 ip4:211.236.180.102 ip4:211.236.180.103 ip4:211.236.180.104 ip4:211.236.180.105 ip4:211.236.180.106 ip4:211.236.180.107 ip4:211.236.180.108 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.109 ip4:211.236.180.110 ip4:211.236.180.111 ip4:211.236.180.112 ip4:211.236.180.113 ip4:211.236.180.114 ip4:211.236.180.115 ip4:211.236.180.116 ip4:211.236.180.117 ip4:211.236.180.118 ~all"

 

;; AUTHORITY SECTION:

gd21.net.               236     IN      NS      ns2.goldennet.co.kr.

gd21.net.               236     IN      NS      ns.goldennet.co.kr.

 

;; Query time: 83 msec

;; SERVER: 68.105.29.16#53(68.105.29.16)

;; WHEN: Tue Jul 24 12:31:55 2012

;; MSG SIZE  rcvd: 2735

 

leslie-2:~ packetalien$ dig gd21.net txt | wc

      35     283    3349

 

 

 

Richard Porter

--- ISC Handler on Duty

16 comment(s)
ISC StormCast for Tuesday, July 24th 2012 http://isc.sans.edu/podcastdetail.html?id=2683
Wireshark 1.8.1 Released http://www.wireshark.org/
Diary Archives