New type of DDoS? Anyone saw it?

bert hubert bert.hubert at netherlabs.nl
Mon May 16 15:44:44 UTC 2016


On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote:
> Today i saw my bind eat almost 90% of RAM when i check logs I find
> interesting DDoS on my DNS Cluster today:
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212
> IN AAAA + (8X.1X0.Y.Y)

This may be related to
http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
where there is talk of a Ubiquity exploit which is reported (elsewhere) to
generate such queries.

	Bert


> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 235.326.031.064
> IN AAAA + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 331.206.372.214
> IN AAAA + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 
> Looks like IN AAAA query about wrong IPv4 address... i got almost 5000/sec
> Anyone saw this too?
> 
> Best Regards
> Marek
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list