[Wolves] OT: Odd DNS traffic to unused IP

Ron Wellsted ron at wellsted.org.uk
Fri May 13 11:57:04 UTC 2016

Hash: SHA1

On 13/05/16 12:44, Simon Burke via Wolves wrote:
> A wee bit OT, but I'm looking for opinions.
> So we have noticed this week there's a significant spike in traffic
> this week. For some reason we're getting a fairly constant stream
> of DNS traffic directed towards a unused IP.
> Someone has suggested it's possibly a botnet looking for a CnC
> server, but not being that knowledgeable in that area, I thought
> I'd ask oracle that is the Wolves LUG.
> The domain these hosts are attempting to look up have valid
> nameservers that are elsewhere, and all have GoDaddy privacy
> service enabled.
> All are in the format of <randomstring>.www.defence[0-9].com
> (I have a few tcpdumps of the data if anyone is interested).
> The constant flood is easily being swallowed up by our line, and
> it's currently sat at about 1000-1500 packets per minute.
> Does anyone have any suggestion as to what could be going on here?
> Cheers, Simon.

A couple of things to check:
1. What does the unused IP resolve to? (was it previously a DNS server
for somebody else?)

2. what does whois tell you about the source IP(s)?

As a bit of retaliation, try putting up a tarpit or a honeypot with a
spare machine.

- -- 
Ron Wellsted
ron at wellsted.org.uk http://www.wellsted.org.uk
Call Sign: M0RNW / Linux Counter No. 202120
Version: GnuPG v2


More information about the Wolves mailing list