Recently we are seeing strange domains being requested on the caching
name servers we are running, sometimes the clients who are requesting
these domains are sending more than one thousand request per second and
sometimes it's alot lower than that (maybe 30 or 50 or 100 requests per
second), examples of the log records are as below
29-Mar-2010 14:18:57.645 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.649 client X.X.X.X#53: query: \144\198x IN A +
29-Mar-2010 14:18:57.651 client X.X.X.X#53: query: \144\198x IN A +
30-Mar-2010 11:34:36.099 client Y.Y.Y.Y#3074: query:
powecs1234.51vip.biz IN A +
30-Mar-2010 11:34:37.305 client Y.Y.Y.Y#3074: query: \019 IN A +
30-Mar-2010 11:34:44.419 client Y.Y.Y.Y#3074: query: \019 IN A +
30-Mar-2010 11:34:50.437 client Y.Y.Y.Y#3074: query: \019 IN A +
30-Mar-2010 11:36:02.096 client Z.Z.Z.Z#53: query: acegaceg.vicp.cc IN A +
30-Mar-2010 11:36:02.100 client Z.Z.Z.Z#53: query: \012\194x IN A +
30-Mar-2010 11:36:02.104 client Z.Z.Z.Z#53: query: \012\194x IN A +
30-Mar-2010 11:36:02.108 client Z.Z.Z.Z#53: query: \012\194x IN A +
Most of the time the client's source port is 53 which is mostly used as
a source port for DNS servers to reply to the client's queries, so I am
suspecting it might be a virus of some sort.
I did a google search for the mentioned domains but with no luck. Does
anyone have any idea what would cause such request floods or have faced
similar issues?
--
Abdulla Ahmad Bushlaibi
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
