Davis, Having seen this in the past, and managing both open resolvers and authoritative servers for several large eyeball networks, I think your assumption is correct this definitely smells like C&C traffic being handled via DNS.
Just my 2c - YMMV - All sales final, As is - Dale Rumph - Network Engineer/Security Consultant On Feb 19, 2014 10:58 AM, "Beeman, Davis" <davis.bee...@integratelecom.com> wrote: > I am late to this train, but it appears no one else has brought this up. > It is a DNS tunneling setup, not an attack. I have been dealing with one > of these lately as well. They were using some open resolvers in my network > to reflect, but the "random" hostnames in the queries are tunneled traffic > or keywords. The original sources of the traffic are probably members of a > botnet, and this is being used as a sneaky C&C method. Due to the tiny > amount of data you can send in the DNS query name field, this will sort of > look like an attack, because they have to send thousands of queries to get > anything done. > > They are not attacking the authoritative name servers in those domains, as > has been suggested, rather the authoritative name server in these domains > is the rouge DNS server in use by the bad actor running a botnet. > > Davis Beeman > Network Security Engineer > > > -----Original Message----- > From: Joe Maimon [mailto:jmai...@ttec.com] > Sent: Tuesday, February 18, 2014 19:08 > To: North American Networking and Offtopic Gripes List > Subject: random dns queries with random sources > > Hey all, > > DNS amplification spoofed source attacks, I get that. I even thought I was > getting mitigation down to acceptable levels. > > But now this. At different times during the previous days and on different > resolvers, routers with proxy turned on, etc... > > Thousand of queries with thousands of source ip addresses. > > According to my logs, sources are not being repeated (or not with any > significant frequency) > > What is the purpose of this? > > 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: > swe.5kkx.com IN A + (66.199.132.5) > 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: > query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: > query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: > uehkaiy.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: > query: yqv.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: > query: e.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: > bfpofpj.5kkx.com IN A + (66.199.132.5) > 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: > query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) > 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: > query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) > 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: > ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) > 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: > query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) > 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: > query: ebb.5kkx.com IN A + (66.199.132.5) > 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: > query: l.5kkx.com IN A + (66.199.132.7) > > >
