CSAM: ANY queries used in reflective DoS attack

Published: 2013-10-08
Last Updated: 2013-10-08 21:19:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Our reader Phillip sent in the following log excerpt:

15:53:34.329883 IP > 59.167.x.35.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.331562 IP > 59.167.x.36.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.331785 IP > 59.167.x.32.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:53:34.332050 IP > 59.167.x.39.53: 9158+ [1au] ANY? hizbullah.me. (41)
15:58:56.288188 IP > 59.167.x.32.53: 17253+ [1au] A? 4fwhk.com. (50)
15:59:23.345810 IP > 59.167.x.34.53: 28322+ [1au] A? 4fwhk.com. (50)

There are a couple of indicators that these logs are "odd":

- ANY queries are unusual in normal DNS traffic. While they are valid, they are not often used in "normal" DNS traffic. But for DoS attacks, they provide large responses.
- the source port and the query ID doesn't change
- the speed of these queries is very fast.

The main "feature" of hizbullah.me becomes obvious if you look at the size of the response:

$ dig ANY hizbullah.me
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.5-P1 <<>> ANY hizbullah.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39771
;; flags: qr rd ra; QUERY: 1, ANSWER: 244, AUTHORITY: 1, ADDITIONAL: 1
;hizbullah.me. IN ANY
hizbullah.me. 3589 IN SOA ns1.hizbullah.me. admin.hizbullah.me. 2012292301 28800 86400 3600000 86400
hizbullah.me. 1789 IN A
hizbullah.me. 1789 IN A
hizbullah.me. 1789 IN A
hizbullah.me. 1789 IN A
hizbullah.me. 1789 IN NS ns1.hizbullah.me.
hizbullah.me. 1789 IN NS ns1.hizbullah.me.
ns1.hizbullah.me. 3588 IN A
;; Query time: 7 msec
;; WHEN: Tue Oct 08 17:09:00 EDT 2013
;; MSG SIZE  rcvd: 3992

I removed most of the "A" record responses. There are a total of 243 if I counted right. The response is 3992 bytes, almost 100 times the size of the query (41 bytes). You also see at the top how dig indicates that it had to fall back to TCP because the response was too large. Many modern resolvers don't require this, and use EDNS0 to allow larger responses, typically up to 4kBytes in size.

The hizbullah.me domain appears to be set up just to act as a source of large DNS responses to be used in DoS attacks.

The second record no longer resolves. I can only assume that it was used similarly. The "ANY" query is not needed for a domain like hizbullah.me with many A records. Just an A query will result in a huge answer.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: any csam dns dos
0 comment(s)


Diary Archives