I've been getting absolutely bombarded with dns query frames most of which come from commercial IPs (that are now blocked) however I'm seeing some from what appears to be 44/8, but I suspect most of these are spoofed. There's always the chance someone's been compromised. An example from wireshark:
72 13.058158 44.96.84.78 44.88.0.9 DNS Standard query A oitutrxutxx.www.luse7.com
I know this IP is not configured so it must be spoofed (aka: no DNS) and it doesn't appear to be alive, nor is this the only one from 44/8.
140 35.327781 44.180.172.99 44.88.0.9 DNS Standard query A ttx.www.luse8.com
595 181.341697 44.219.111.186 44.88.0.9 DNS Standard query A m.www.luse9.com
I'm sure this is a DNS worm of sorts but it was attacking my MFNOS node (which does not even have a dns server compiled in it) at the rate of 500,000 frames a minute. While harmless to such, it's still bandwidth used for nothing.
Has anyone seen these sort of junk dns requests before?
My guess might be these are part of some larger DNS reflection attack. I cannot speak why they'd be coming in to you, but UDP is unfriendly in that it allows an attacker to pretend to be someone, ask for a DNS response, and real DNS servers will send the traffic to their victim. This is potentially why you're seeing various commercial/44 net IPs, is that these are open (publicly facing) recursive DNS resolvers, that may be being abused by an attacker. So, if any of those 44 net IPs do turn out to be open recursive resolvers, best practice is to not have those face the internet, but just your intranet only.
DNS reflection/amplification attacks, as well as their NTP based brethren have unfortunately been picking up steam of late, and have been wreaking havoc all over the internet. Let's avoid helping them out by keeping NTP and DNS services internal only unless really necessary.
Nigel K7NVH
-
Brian -
Nigel Vander Houwen