[Wolves] OT: Odd DNS traffic to unused IP
Ron Wellsted
ron at wellsted.org.uk
Fri May 13 11:57:04 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13/05/16 12:44, Simon Burke via Wolves wrote:
> A wee bit OT, but I'm looking for opinions.
>
> So we have noticed this week there's a significant spike in traffic
> this week. For some reason we're getting a fairly constant stream
> of DNS traffic directed towards a unused IP.
>
> Someone has suggested it's possibly a botnet looking for a CnC
> server, but not being that knowledgeable in that area, I thought
> I'd ask oracle that is the Wolves LUG.
>
> The domain these hosts are attempting to look up have valid
> nameservers that are elsewhere, and all have GoDaddy privacy
> service enabled.
>
> All are in the format of <randomstring>.www.defence[0-9].com
>
> (I have a few tcpdumps of the data if anyone is interested).
>
> The constant flood is easily being swallowed up by our line, and
> it's currently sat at about 1000-1500 packets per minute.
>
> Does anyone have any suggestion as to what could be going on here?
>
> Cheers, Simon.
A couple of things to check:
1. What does the unused IP resolve to? (was it previously a DNS server
for somebody else?)
2. what does whois tell you about the source IP(s)?
As a bit of retaliation, try putting up a tarpit or a honeypot with a
spare machine.
- --
Ron Wellsted
ron at wellsted.org.uk http://www.wellsted.org.uk
Call Sign: M0RNW / Linux Counter No. 202120
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlc1wOwACgkQ8lOfTmhjD3PNWwCguvWdMsMxbJep1N601epiDhjq
rWcAoJPbZcixDcHMsQa97C6Qm1XYEDdZ
=duwA
-----END PGP SIGNATURE-----
More information about the Wolves
mailing list