Report of spike in DNS Queries gd21.net

Published: 2012-07-24
Last Updated: 2012-07-24 19:34:51 UTC
by Richard Porter (Version: 2)
16 comment(s)

A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.

Here is a snip from logs, slightly edited.

 

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E

** used with permission **

gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links


Is anyone else seeing this? If so could you report it?

 

UPDATE:

Starting to look like reflective amplified DOS. If you are seeing this let us know.

 

leslie-2:~ packetalien$ dig gd21.net txt

;; Truncated, retrying in TCP mode.

 

; <<>> DiG 9.7.3-P3 <<>> gd21.net txt

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18617

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 2, ADDITIONAL: 0

 

;; QUESTION SECTION:

;gd21.net.                      IN      TXT

 

;; ANSWER SECTION:

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.119 ip4:211.236.180.120 ip4:211.236.180.121 ip4:211.236.180.122 ip4:211.236.180.123 ip4:211.236.180.124 ip4:211.236.180.125 ip4:211.236.180.126 ip4:211.236.180.127 ip4:211.236.180.128 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.118 ip4:211.236.180.40 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.9 ip4:211.236.180.10 ip4:211.236.180.11 ip4:211.236.180.12 ip4:211.236.180.13 ip4:211.236.180.14 ip4:211.236.180.15 ip4:211.236.180.16 ip4:211.236.180.17 ip4:211.236.180.18 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.19 ip4:211.236.180.20 ip4:211.236.180.21 ip4:211.236.180.22 ip4:211.236.180.23 ip4:211.236.180.24 ip4:211.236.180.25 ip4:211.236.180.26 ip4:211.236.180.27 ip4:211.236.180.28 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.29 ip4:211.236.180.30 ip4:211.236.180.31 ip4:211.236.180.32 ip4:211.236.180.33 ip4:211.236.180.34 ip4:211.236.180.35 ip4:211.236.180.36 ip4:211.236.180.37 ip4:211.236.180.38 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.39 ip4:211.236.180.40 ip4:211.236.180.41 ip4:211.236.180.42 ip4:211.236.180.43 ip4:211.236.180.44 ip4:211.236.180.45 ip4:211.236.180.46 ip4:211.236.180.47 ip4:211.236.180.48 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.49 ip4:211.236.180.50 ip4:211.236.180.51 ip4:211.236.180.52 ip4:211.236.180.53 ip4:211.236.180.54 ip4:211.236.180.55 ip4:211.236.180.56 ip4:211.236.180.57 ip4:211.236.180.58 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.59 ip4:211.236.180.60 ip4:211.236.180.61 ip4:211.236.180.62 ip4:211.236.180.63 ip4:211.236.180.64 ip4:211.236.180.65 ip4:211.236.180.66 ip4:211.236.180.67 ip4:211.236.180.68 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.69 ip4:211.236.180.70 ip4:211.236.180.71 ip4:211.236.180.72 ip4:211.236.180.73 ip4:211.236.180.74 ip4:211.236.180.75 ip4:211.236.180.76 ip4:211.236.180.77 ip4:211.236.180.78 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.79 ip4:211.236.180.80 ip4:211.236.180.81 ip4:211.236.180.82 ip4:211.236.180.83 ip4:211.236.180.84 ip4:211.236.180.85 ip4:211.236.180.86 ip4:211.236.180.87 ip4:211.236.180.88 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.89 ip4:211.236.180.90 ip4:211.236.180.91 ip4:211.236.180.92 ip4:211.236.180.93 ip4:211.236.180.94 ip4:211.236.180.95 ip4:211.236.180.96 ip4:211.236.180.97 ip4:211.236.180.98 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.99 ip4:211.236.180.100 ip4:211.236.180.101 ip4:211.236.180.102 ip4:211.236.180.103 ip4:211.236.180.104 ip4:211.236.180.105 ip4:211.236.180.106 ip4:211.236.180.107 ip4:211.236.180.108 ~all"

gd21.net.               236     IN      TXT     "v=spf1 ip4:211.236.180.109 ip4:211.236.180.110 ip4:211.236.180.111 ip4:211.236.180.112 ip4:211.236.180.113 ip4:211.236.180.114 ip4:211.236.180.115 ip4:211.236.180.116 ip4:211.236.180.117 ip4:211.236.180.118 ~all"

 

;; AUTHORITY SECTION:

gd21.net.               236     IN      NS      ns2.goldennet.co.kr.

gd21.net.               236     IN      NS      ns.goldennet.co.kr.

 

;; Query time: 83 msec

;; SERVER: 68.105.29.16#53(68.105.29.16)

;; WHEN: Tue Jul 24 12:31:55 2012

;; MSG SIZE  rcvd: 2735

 

leslie-2:~ packetalien$ dig gd21.net txt | wc

      35     283    3349

 

 

 

Richard Porter

--- ISC Handler on Duty

16 comment(s)

Comments

We've seen this sort of thing in the past, but it was a Spoofed UDP packet doing an ANY request for ripe.net on an open resolver.

Of course the spoofed source was the IP being attacked.
As the original reporter, I can say the source is not spoofed. I have OSSEC adding "shuns" to our ASA based on source and that immediately stops that particular request, showing the requesting address is not spoofed.
Jul 24 2012 20:16:47: %ASA-4-401004: Shunned packet: XXX.XXX.218.92 ==> XXX.XXX.18.114 on interface outside

sh shun stat | include XXX.XXX.218.92
Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13)
It seems like most of the packets being sent over and over are coming from the same ip address which would indicate a DOS attack.
nope. When it started I had around 40 shuns/IPs, once we reconfigured OSSEC to automatically block the queries new IPs cropped up within a few seconds (30-60 sec). I am up to 500+ shuns now. Now, new attacks show up every 3-4 minutes.
@Eric - I should qualify my last statement: my log portion above was just one IP from many. There seems to be no common thread as to where the IPs are coming from.
That's interesting that you can't identify where the IPs are coming from. How long has this attack been going on for?

I see that from the above logs posted that it was happening this afternoon at 12:31PM.
> That's interesting that you can't identify where the IPs are coming from.

Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender.

One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target.

Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating.

Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from 'info@fbi.gov' or from 'helpdesk' at my ISP ?
@ Scott. Is it just IN TXT records being queried? Could the source addresses be DNS or SMTP servers? Could this be side effect of a big Spam run using the gd21.net domain in the From: field?
when I said "I cant identify where they are coming from" I mean there is no one geographic location. They are coming from Brazil, the US, etc...

@George - Yes, the query is looking for gd21.net IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type.

Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning:

Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside

and from the config:

shun (outside) XXX.232.121.191 0.0.0.0 0 0 0

That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us.

Diary Archives