Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Report of spike in DNS Queries - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Report of spike in DNS Queries

A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.

Here is a snip from logs, slightly edited.

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: IN TXT +E

** used with permission ** seems to link to a Korean Shopping site of some kind. As always, use caution when following links

Is anyone else seeing this? If so could you report it?



Richard Porter

--- ISC Handler on Duty


173 Posts
ISC Handler
Jul 24th 2012
We've seen this sort of thing in the past, but it was a Spoofed UDP packet doing an ANY request for on an open resolver.

Of course the spoofed source was the IP being attacked.

12 Posts
As the original reporter, I can say the source is not spoofed. I have OSSEC adding "shuns" to our ASA based on source and that immediately stops that particular request, showing the requesting address is not spoofed.
7 Posts
Jul 24 2012 20:16:47: %ASA-4-401004: Shunned packet: XXX.XXX.218.92 ==> XXX.XXX.18.114 on interface outside

sh shun stat | include XXX.XXX.218.92
Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13)
7 Posts
It seems like most of the packets being sent over and over are coming from the same ip address which would indicate a DOS attack.
3 Posts
nope. When it started I had around 40 shuns/IPs, once we reconfigured OSSEC to automatically block the queries new IPs cropped up within a few seconds (30-60 sec). I am up to 500+ shuns now. Now, new attacks show up every 3-4 minutes.
7 Posts
@Eric - I should qualify my last statement: my log portion above was just one IP from many. There seems to be no common thread as to where the IPs are coming from.
7 Posts
That's interesting that you can't identify where the IPs are coming from. How long has this attack been going on for?

I see that from the above logs posted that it was happening this afternoon at 12:31PM.
3 Posts
> That's interesting that you can't identify where the IPs are coming from.

Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender.

One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target.

Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating.

Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from '' or from 'helpdesk' at my ISP ?
@ Scott. Is it just IN TXT records being queried? Could the source addresses be DNS or SMTP servers? Could this be side effect of a big Spam run using the domain in the From: field?
when I said "I cant identify where they are coming from" I mean there is no one geographic location. They are coming from Brazil, the US, etc...

@George - Yes, the query is looking for IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type.

Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning:

Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside

and from the config:

shun (outside) XXX.232.121.191 0 0 0

That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us.
@Scott I was thinking it might be a bot. Well that's good that the traffic is down to normal levels.

Yeah the open ports could be also a clue.
Ok after some (very) patient discussion with me, the SANS guys allowed me to see the forest for the trees. The source IPs are likely spoofed, and while my shuns blocked the spoofed IP, the attacker would just move to the next spoofed target. The simple solution was to disable recursion for all but what IPs we need. (That creates a few issues, but nothing we cant work through)

Again, thanks guys for helping pound this through my thick skull.

This looks to me like traffic from a DNS Reflection DDOS attack. The TXT records are larger in size than the original DNS query therefore there is a traffic amplification often of the order 60:1 .
DNS Reflection Attack How To :
1) Register a domain and host it
2) Add a TXT record
3) Find some name servers that allow recursion and prime them for the attack by querying your DOMAIN TXT record.
4) Find a internet connection without egress filtering
5) Spoof DNS requests at your primed name server which will flood the target network with traffic with an amplification of roughly 60:1 depending on what you set you TXT record to be. A 5GB per second attack can be achieved this way with around 200 bots.

Looks like you are helping take down

Anonymous rather :)

Sign Up for Free or Log In to start participating in the conversation!