Our reader Phillip sent in the following log excerpt:
15:53:34.329883 IP 18.104.22.168.44806 > 59.167.x.35.53: 9158+ [1au] ANY? hizbullah.me. (41) 15:53:34.331562 IP 22.214.171.124.44806 > 59.167.x.36.53: 9158+ [1au] ANY? hizbullah.me. (41) 15:53:34.331785 IP 126.96.36.199.44806 > 59.167.x.32.53: 9158+ [1au] ANY? hizbullah.me. (41) 15:53:34.332050 IP 188.8.131.52.44806 > 59.167.x.39.53: 9158+ [1au] ANY? hizbullah.me. (41) ... 15:58:56.288188 IP 184.108.40.206.34195 > 59.167.x.32.53: 17253+ [1au] A? 4fwhk.com. (50) 15:59:23.345810 IP 220.127.116.11.28558 > 59.167.x.34.53: 28322+ [1au] A? 4fwhk.com. (50) ...
There are a couple of indicators that these logs are "odd":
- ANY queries are unusual in normal DNS traffic. While they are valid, they are not often used in "normal" DNS traffic. But for DoS attacks, they provide large responses.
The main "feature" of hizbullah.me becomes obvious if you look at the size of the response:
I removed most of the "A" record responses. There are a total of 243 if I counted right. The response is 3992 bytes, almost 100 times the size of the query (41 bytes). You also see at the top how dig indicates that it had to fall back to TCP because the response was too large. Many modern resolvers don't require this, and use EDNS0 to allow larger responses, typically up to 4kBytes in size.
The hizbullah.me domain appears to be set up just to act as a source of large DNS responses to be used in DoS attacks.
The second record no longer resolves. I can only assume that it was used similarly. The "ANY" query is not needed for a domain like hizbullah.me with many A records. Just an A query will result in a huge answer.
------Intrusion Detection In-Depth - SANS Las Vegas Spring 2020
Oct 8th 2013
6 years ago