[Wolves] OT: Odd DNS traffic to unused IP

Simon Burke simon at samandsimon.co.uk
Fri May 13 11:45:17 UTC 2016

A wee bit OT, but I'm looking for opinions.

So we have noticed this week there's a significant spike in traffic this
week. For some reason we're getting a fairly constant stream of DNS traffic
directed towards a unused IP.

Someone has suggested it's possibly a botnet looking for a CnC server, but
not being that knowledgeable in that area, I thought I'd ask oracle that is
the Wolves LUG.

The domain these hosts are attempting to look up have valid nameservers
that are elsewhere, and all have GoDaddy privacy service enabled.

All are in the format of <randomstring>.www.defence[0-9].com

(I have a few tcpdumps of the data if anyone is interested).

The constant flood is easily being swallowed up by our line, and it's
currently sat at about 1000-1500 packets per minute.

Does anyone have any suggestion as to what could be going on here?


More information about the Wolves mailing list