Our reader Phillip sent in the following log excerpt:

15:53:34.329883 IP 80.82.64.114.44806 > 59.167.x.35.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.331562 IP 80.82.64.114.44806 > 59.167.x.36.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.331785 IP 80.82.64.114.44806 > 59.167.x.32.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.332050 IP 80.82.64.114.44806 > 59.167.x.39.53: 9158+ [1au] ANY? hizbullah.me. (41)
...
15:58:56.288188 IP 122.136.196.116.34195 > 59.167.x.32.53: 17253+ [1au] A? 4fwhk.com. (50)
15:59:23.345810 IP 122.136.196.116.28558 > 59.167.x.34.53: 28322+ [1au] A? 4fwhk.com. (50)
...

There are a couple of indicators that these logs are "odd":

- ANY queries are unusual in normal DNS traffic. While they are valid, they are not often used in "normal" DNS traffic. But for DoS attacks, they provide large responses.
- the source port and the query ID doesn't change
- the speed of these queries is very fast.

The main "feature" of hizbullah.me becomes obvious if you look at the size of the response:

I removed most of the "A" record responses. There are a total of 243 if I counted right. The response is 3992 bytes, almost 100 times the size of the query (41 bytes). You also see at the top how dig indicates that it had to fall back to TCP because the response was too large. Many modern resolvers don't require this, and use EDNS0 to allow larger responses, typically up to 4kBytes in size.

The hizbullah.me domain appears to be set up just to act as a source of large DNS responses to be used in DoS attacks.

The second record no longer resolves. I can only assume that it was used similarly. The "ANY" query is not needed for a domain like hizbullah.me with many A records. Just an A query will result in a huge answer.

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter