[Wolves] OT: Odd DNS traffic to unused IP

Ron Wellsted ron at wellsted.org.uk
Fri May 13 11:57:04 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/05/16 12:44, Simon Burke via Wolves wrote:
> A wee bit OT, but I'm looking for opinions.
> 
> So we have noticed this week there's a significant spike in traffic
> this week. For some reason we're getting a fairly constant stream
> of DNS traffic directed towards a unused IP.
> 
> Someone has suggested it's possibly a botnet looking for a CnC
> server, but not being that knowledgeable in that area, I thought
> I'd ask oracle that is the Wolves LUG.
> 
> The domain these hosts are attempting to look up have valid
> nameservers that are elsewhere, and all have GoDaddy privacy
> service enabled.
> 
> All are in the format of <randomstring>.www.defence[0-9].com
> 
> (I have a few tcpdumps of the data if anyone is interested).
> 
> The constant flood is easily being swallowed up by our line, and
> it's currently sat at about 1000-1500 packets per minute.
> 
> Does anyone have any suggestion as to what could be going on here?
> 
> Cheers, Simon.

A couple of things to check:
1. What does the unused IP resolve to? (was it previously a DNS server
for somebody else?)

2. what does whois tell you about the source IP(s)?

As a bit of retaliation, try putting up a tarpit or a honeypot with a
spare machine.

- -- 
Ron Wellsted
ron at wellsted.org.uk http://www.wellsted.org.uk
Call Sign: M0RNW / Linux Counter No. 202120
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlc1wOwACgkQ8lOfTmhjD3PNWwCguvWdMsMxbJep1N601epiDhjq
rWcAoJPbZcixDcHMsQa97C6Qm1XYEDdZ
=duwA
-----END PGP SIGNATURE-----



More information about the Wolves mailing list