[Wolves] OT: Odd DNS traffic to unused IP
Simon Burke
simon at samandsimon.co.uk
Fri May 13 12:19:00 UTC 2016
On Fri, 13 May 2016 at 12:56 Ron Wellsted <ron at wellsted.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > The domain these hosts are attempting to look up have valid
> > nameservers that are elsewhere, and all have GoDaddy privacy
> > service enabled.
> >
> > All are in the format of <randomstring>.www.defence[0-9].com
> >
> > (I have a few tcpdumps of the data if anyone is interested).
> >
> > The constant flood is easily being swallowed up by our line, and
> > it's currently sat at about 1000-1500 packets per minute.
> >
> A couple of things to check:
> 1. What does the unused IP resolve to? (was it previously a DNS server
> for somebody else?)
>
The rDNS record is a generic placeholder we use for all unused IP
addresses.
Forwards, we do have one record, but thats for a server that's been
decommissioned for about two years.
The server that did have that address was a web server only.
>
> 2. what does whois tell you about the source IP(s)?
>
All the domains have the reigstrant protected via GoDaddy's privacy
protention service, and nameserver are all pointing to legitimate
nameservers elsewhere.
>
> As a bit of retaliation, try putting up a tarpit or a honeypot with a
> spare machine.
>
I might just end up doing that, set up a nameserver with these zones and a
wildcard record, but I was concerned that if it got picked up by out ISP,
they might question our motives.
At the moment I'm just waiting to see if they will null route the IP for a
while.
Cheers.
More information about the Wolves
mailing list