receiving large queries with special characters

Patrick Larkin Jr plarkin at
Tue May 4 15:19:55 UTC 2010

Has anybody else seen this before?

I operate a large distributed farm of DNS caching resolvers
for my customers, with many public addresses and behind SLB.

Recently I began seeing a large number of malformed queries
coming from a handful of machines in Europe, targeting
one particular public resolver IP address.  And it affects
my servers' performance.

Here are some snoop lines, and notice the recurring strings in it
(across attackers, and within attackers):

{attacker#1} -> {my-victimized-IP} DNS C 
edgesuitenet Unknown (17) Unknown (20380) ?

{attacker#1} -> {my-victimized-IP} DNS C 
,D+[SA[UVDYkjwkdnwlkjw+dnwlkjwkdnwlkjwk§Cµ"”•ˆ“`nÎl Unknown (28531) 
Unknown (3847) ?

{UKattacker#2} -> {my-victimized-IP} DNS C 
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwkF-ÃR”•ˆ“`n·itchyÀÀ Unknown (256) 
Unknown (512) ?

{UKattacker#2} -> {my-victimized-IP} DNS C 
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwk_„`<”•ˆ“`n·lVALLEYNET Unknown 
(256) Unknown (512) ?

{UKattacker#2} -> {my-victimized-IP} DNS C 
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwk8lÒ×”•ˆ“`n·ladnsnet Unknown 
(1100) Unknown (41216) ?

{attacker#3} -> {my-victimized-IP} DNS C 
,D+[SAZQXO_kjwkdnwlkjw+dnwlkjwkdnwlkjwkÑkjwk`ngm Unknown (256) Unknown 
(512) ?

This happened once before (January 2010) and I managed to make contact
with one of them, and here is what he said:
> We've re-initialised our firewall.  {that machine} is our internal firewall for the office here, nothing to do really with the ISP services we run for others.  The traffic appeared to being generated directly from the firewall itself.  A reboot cleared it.  We've also upgraded the firmware to the latest patch.
> Model of firewall is:  FortiWiFi-50B , Firmware 4.0 MR1 Patch 2

Any ideas?  What's causing it?  How to make it stop?
  Patrick Larkin Jr - Dallas Texas USA
    Earthlink Core Services Engineering
       PLarkin at corp.EarthLink.NET

More information about the bind-users mailing list