Observed DNS Anomaly: Bumps in DNS ANY Query Activity

For the past 5 days, we’ve been seeing a 20-25% bump in DNS QPS for random 5-10 minutes intervals that started back up this morning. It’s certainly not a pattern that we’re accustomed to seeing, so we classified this as a traffic anomaly and sent our Operations Team searching for answers on what the source of this might be.

Here’s the particulars of what we’re seeing:

Source IPs are from IP prefixes originating from China Telecom and China Netcom address space.
Source ports are randomized.
DNS transaction ID is randomized.
The queries follow delegation paths to our nameservers via customer domains. We do see queries for domains that we are not authoritative for, meaning that this is likely bogus traffic to real domains.

This has been noticed not only by us, but also by those on the Dns-operations list, NANOG and other related mailing lists.

Given that this has been noticed by other network operators but is such a huge amount of traffic, we’re surprised that the discussion about this has been relatively mute. Are others seeing this? What are you doing about it (if anything)? What do you think is behind it?

Ronald Poell

Yesterday I had something that looks similar: See my post at http://www.yacy-forum.org/viewtopic.php?f=2&t=572&p=2131#p2131
http://twitter.com/dje Darrin Eden

We’re experiencing the same pattern. I assumed it was an attack aimed at testing defences. Wildly more interesting that it’s wide spread. We’re practicing additional tactics should the pattern change significantly, but otherwise limited response. Please let us know if there’s anything we might do to coordinate a response.
http://www.parraz.org danielparraz

I am also noticing a large amount of ANY requests over the last week..

Here are the two most common requests..from the SOA server of this domain

1. domain-masked.com/ANY 3651 36.5%2. ns1.domain-masked.net/A 990 9.9% …

119.147.145.151 2180 21.8%119.147.151.1546006.0%121.12.173.1244524.5%121.14.142.704194.2%
And if you add up the requests from the above remote IP’s from China Telecom, they total 3651, or the amount of ANY queries I have received.

At the moment, the traffic is not having an impact on operations, but registers to me as not being normal internet traffic, and I decided to ban the ranges until I can get more information. I am assuming this trend is not isolated, judging by the recent comments, and would like to know if anyone can shed some light?

Thanks!
Pjsmith

We are seeing it too.
Interestingly, if you drop the requests or reply with SRVFAIL, they
just keep coming. Sometimes at rates well over 1000 per second. As
someone else on dns-operations pointed out, there seems to be a
time frame of 4am to 7pm’ish CET. Even Chinese have to sleep

Started in earnest last
Tuesday, but if you check back through the logs, much more minor
repeats of exactly the same thing happening on and off for quite some
time.
http://twitter.com/ian_winter Ian Winter

In our account with you guys, since end of November we’ve seen massively abnormal QPS rates – could this be related?

http://dyn.com/ Jeremy Hitchcock

Very likely yes.

Glennms

i have noticed , in dec , that there were attcks of various types comeing from china. I run a small internet radio station, and use dyndns to point to the station links. and i had them getting into my shoutcast servers and trying to run up the user #;s for 5 minutes at a time.i have blocked them at my router and on my station streams. so this is not some college kid playing around. Note i could not tell what they were doing in the server , but it was not listening to the tunes

Glenn
station Owner
OURMUSICONE.com
http://pcken.com/ Security

Just now seeing this posting, but yes, I see a lot of traffic coming from China. There is a pattern of 14,400 hits at a random time of day from random IP’s coming from China.

Observed DNS Anomaly: Bumps in DNS ANY Query Activity

Related Posts

Enjoyed this post? Share It!