Beginning about 0900UTC we began seeing about 50x our usual DNS traffic.
75% of the traffic is for d6991.com. Does anyone else see this? Who are
these folks (WEBNIC.CC)?
-chris
Maybe because of this mess?
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.3 <<>> @localhost d6991.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61549
;; flags: qr rd ra; QUERY: 1, ANSWER: 256, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;d6991.com. IN A
;; ANSWER SECTION:
d6991.com. 6000 IN A 121.100.153.100
d6991.com. 6000 IN A 121.100.153.101
d6991.com. 6000 IN A 121.100.153.102
d6991.com. 6000 IN A 121.100.153.103
d6991.com. 6000 IN A 121.100.153.104
d6991.com. 6000 IN A 121.100.153.105
d6991.com. 6000 IN A 121.100.153.106
d6991.com. 6000 IN A 121.100.153.107
d6991.com. 6000 IN A 121.100.153.108
d6991.com. 6000 IN A 121.100.153.109
d6991.com. 6000 IN A 121.100.153.110
d6991.com. 6000 IN A 121.100.153.111
d6991.com. 6000 IN A 121.100.153.112
d6991.com. 6000 IN A 121.100.153.113
d6991.com. 6000 IN A 121.100.153.114
d6991.com. 6000 IN A 121.100.153.115
d6991.com. 6000 IN A 121.100.153.116
d6991.com. 6000 IN A 121.100.153.117
d6991.com. 6000 IN A 121.100.153.118
d6991.com. 6000 IN A 121.100.153.119
d6991.com. 6000 IN A 121.100.153.120
d6991.com. 6000 IN A 121.100.153.121
d6991.com. 6000 IN A 121.100.153.122
d6991.com. 6000 IN A 121.100.153.123
d6991.com. 6000 IN A 121.100.153.124
d6991.com. 6000 IN A 121.100.153.125
d6991.com. 6000 IN A 121.100.153.126
d6991.com. 6000 IN A 121.100.153.127
d6991.com. 6000 IN A 121.100.153.128
d6991.com. 6000 IN A 121.100.153.129
d6991.com. 6000 IN A 121.100.153.130
d6991.com. 6000 IN A 121.100.153.131
d6991.com. 6000 IN A 121.100.153.132
d6991.com. 6000 IN A 121.100.153.133
d6991.com. 6000 IN A 121.100.153.134
d6991.com. 6000 IN A 121.100.153.135
d6991.com. 6000 IN A 121.100.153.136
d6991.com. 6000 IN A 121.100.153.137
d6991.com. 6000 IN A 121.100.153.138
d6991.com. 6000 IN A 121.100.153.139
d6991.com. 6000 IN A 121.100.153.140
d6991.com. 6000 IN A 121.100.153.141
d6991.com. 6000 IN A 121.100.153.142
d6991.com. 6000 IN A 121.100.153.143
d6991.com. 6000 IN A 121.100.153.144
d6991.com. 6000 IN A 121.100.153.145
d6991.com. 6000 IN A 121.100.153.146
d6991.com. 6000 IN A 121.100.153.147
d6991.com. 6000 IN A 121.100.153.148
d6991.com. 6000 IN A 121.100.153.149
d6991.com. 6000 IN A 121.100.153.150
d6991.com. 6000 IN A 121.100.153.151
d6991.com. 6000 IN A 121.100.153.152
d6991.com. 6000 IN A 121.100.153.153
d6991.com. 6000 IN A 121.100.153.154
d6991.com. 6000 IN A 121.100.153.155
d6991.com. 6000 IN A 121.100.153.156
d6991.com. 6000 IN A 121.100.153.157
d6991.com. 6000 IN A 121.100.153.158
d6991.com. 6000 IN A 121.100.153.159
d6991.com. 6000 IN A 121.100.153.160
d6991.com. 6000 IN A 121.100.153.161
d6991.com. 6000 IN A 121.100.153.162
d6991.com. 6000 IN A 121.100.153.163
d6991.com. 6000 IN A 121.100.153.164
d6991.com. 6000 IN A 121.100.153.165
d6991.com. 6000 IN A 121.100.153.166
d6991.com. 6000 IN A 121.100.153.167
d6991.com. 6000 IN A 121.100.153.168
d6991.com. 6000 IN A 121.100.153.169
d6991.com. 6000 IN A 121.100.153.170
d6991.com. 6000 IN A 121.100.153.171
d6991.com. 6000 IN A 121.100.153.172
d6991.com. 6000 IN A 121.100.153.173
d6991.com. 6000 IN A 121.100.153.174
d6991.com. 6000 IN A 121.100.153.175
d6991.com. 6000 IN A 121.100.153.176
d6991.com. 6000 IN A 121.100.153.177
d6991.com. 6000 IN A 121.100.153.178
d6991.com. 6000 IN A 121.100.153.179
d6991.com. 6000 IN A 121.100.153.180
d6991.com. 6000 IN A 121.100.153.181
d6991.com. 6000 IN A 121.100.153.182
d6991.com. 6000 IN A 121.100.153.183
d6991.com. 6000 IN A 121.100.153.184
d6991.com. 6000 IN A 121.100.153.185
d6991.com. 6000 IN A 121.100.153.186
d6991.com. 6000 IN A 121.100.153.187
d6991.com. 6000 IN A 121.100.153.188
d6991.com. 6000 IN A 121.100.153.189
d6991.com. 6000 IN A 121.100.153.190
d6991.com. 6000 IN A 121.100.153.191
d6991.com. 6000 IN A 121.100.153.192
d6991.com. 6000 IN A 121.100.153.193
d6991.com. 6000 IN A 121.100.153.194
d6991.com. 6000 IN A 121.100.153.195
d6991.com. 6000 IN A 121.100.153.196
d6991.com. 6000 IN A 121.100.153.197
d6991.com. 6000 IN A 121.100.153.198
d6991.com. 6000 IN A 121.100.153.199
d6991.com. 6000 IN A 121.100.153.200
d6991.com. 6000 IN A 121.100.152.100
d6991.com. 6000 IN A 121.100.152.101
d6991.com. 6000 IN A 121.100.152.102
d6991.com. 6000 IN A 121.100.152.103
d6991.com. 6000 IN A 121.100.152.104
d6991.com. 6000 IN A 121.100.152.105
d6991.com. 6000 IN A 121.100.152.106
d6991.com. 6000 IN A 121.100.152.107
d6991.com. 6000 IN A 121.100.152.108
d6991.com. 6000 IN A 121.100.152.109
d6991.com. 6000 IN A 121.100.152.110
d6991.com. 6000 IN A 121.100.152.111
d6991.com. 6000 IN A 121.100.152.112
d6991.com. 6000 IN A 121.100.152.113
d6991.com. 6000 IN A 121.100.152.114
d6991.com. 6000 IN A 121.100.152.115
d6991.com. 6000 IN A 121.100.152.116
d6991.com. 6000 IN A 121.100.152.117
d6991.com. 6000 IN A 121.100.152.118
d6991.com. 6000 IN A 121.100.152.119
d6991.com. 6000 IN A 121.100.152.120
d6991.com. 6000 IN A 121.100.152.121
d6991.com. 6000 IN A 121.100.152.122
d6991.com. 6000 IN A 121.100.152.123
d6991.com. 6000 IN A 121.100.152.124
d6991.com. 6000 IN A 121.100.152.125
d6991.com. 6000 IN A 121.100.152.126
d6991.com. 6000 IN A 121.100.152.127
d6991.com. 6000 IN A 121.100.152.128
d6991.com. 6000 IN A 121.100.152.129
d6991.com. 6000 IN A 121.100.152.130
d6991.com. 6000 IN A 121.100.152.131
d6991.com. 6000 IN A 121.100.152.132
d6991.com. 6000 IN A 121.100.152.133
d6991.com. 6000 IN A 121.100.152.134
d6991.com. 6000 IN A 121.100.152.135
d6991.com. 6000 IN A 121.100.152.136
d6991.com. 6000 IN A 121.100.152.137
d6991.com. 6000 IN A 121.100.152.138
d6991.com. 6000 IN A 121.100.152.139
d6991.com. 6000 IN A 121.100.152.140
d6991.com. 6000 IN A 121.100.152.141
d6991.com. 6000 IN A 121.100.152.142
d6991.com. 6000 IN A 121.100.152.143
d6991.com. 6000 IN A 121.100.152.144
d6991.com. 6000 IN A 121.100.152.145
d6991.com. 6000 IN A 121.100.152.146
d6991.com. 6000 IN A 121.100.152.147
d6991.com. 6000 IN A 121.100.152.148
d6991.com. 6000 IN A 121.100.152.149
d6991.com. 6000 IN A 121.100.152.150
d6991.com. 6000 IN A 121.100.152.151
d6991.com. 6000 IN A 121.100.152.152
d6991.com. 6000 IN A 121.100.152.153
d6991.com. 6000 IN A 121.100.152.154
d6991.com. 6000 IN A 121.100.152.155
d6991.com. 6000 IN A 121.100.152.156
d6991.com. 6000 IN A 121.100.152.157
d6991.com. 6000 IN A 121.100.152.158
d6991.com. 6000 IN A 121.100.152.159
d6991.com. 6000 IN A 121.100.152.160
d6991.com. 6000 IN A 121.100.152.161
d6991.com. 6000 IN A 121.100.152.162
d6991.com. 6000 IN A 121.100.152.163
d6991.com. 6000 IN A 121.100.152.164
d6991.com. 6000 IN A 121.100.152.165
d6991.com. 6000 IN A 121.100.152.166
d6991.com. 6000 IN A 121.100.152.167
d6991.com. 6000 IN A 121.100.152.168
d6991.com. 6000 IN A 121.100.152.169
d6991.com. 6000 IN A 121.100.152.170
d6991.com. 6000 IN A 121.100.152.171
d6991.com. 6000 IN A 121.100.152.172
d6991.com. 6000 IN A 121.100.152.173
d6991.com. 6000 IN A 121.100.152.174
d6991.com. 6000 IN A 121.100.152.175
d6991.com. 6000 IN A 121.100.152.176
d6991.com. 6000 IN A 121.100.152.177
d6991.com. 6000 IN A 121.100.152.178
d6991.com. 6000 IN A 121.100.152.179
d6991.com. 6000 IN A 121.100.152.180
d6991.com. 6000 IN A 121.100.152.181
d6991.com. 6000 IN A 121.100.152.182
d6991.com. 6000 IN A 121.100.152.183
d6991.com. 6000 IN A 121.100.152.184
d6991.com. 6000 IN A 121.100.152.185
d6991.com. 6000 IN A 121.100.152.186
d6991.com. 6000 IN A 121.100.152.187
d6991.com. 6000 IN A 121.100.152.188
d6991.com. 6000 IN A 121.100.152.189
d6991.com. 6000 IN A 121.100.152.190
d6991.com. 6000 IN A 121.100.152.191
d6991.com. 6000 IN A 121.100.152.192
d6991.com. 6000 IN A 121.100.152.193
d6991.com. 6000 IN A 121.100.152.194
d6991.com. 6000 IN A 121.100.152.195
d6991.com. 6000 IN A 121.100.152.196
d6991.com. 6000 IN A 121.100.152.197
d6991.com. 6000 IN A 121.100.152.198
d6991.com. 6000 IN A 121.100.152.199
d6991.com. 6000 IN A 121.100.152.200
d6991.com. 6000 IN A 121.100.152.201
d6991.com. 6000 IN A 121.100.152.202
d6991.com. 6000 IN A 121.100.152.203
d6991.com. 6000 IN A 121.100.152.204
d6991.com. 6000 IN A 121.100.152.205
d6991.com. 6000 IN A 121.100.152.206
d6991.com. 6000 IN A 121.100.152.207
d6991.com. 6000 IN A 121.100.152.208
d6991.com. 6000 IN A 121.100.152.209
d6991.com. 6000 IN A 121.100.152.210
d6991.com. 6000 IN A 121.100.152.211
d6991.com. 6000 IN A 121.100.152.212
d6991.com. 6000 IN A 121.100.152.213
d6991.com. 6000 IN A 121.100.152.214
d6991.com. 6000 IN A 121.100.152.215
d6991.com. 6000 IN A 121.100.152.216
d6991.com. 6000 IN A 121.100.152.217
d6991.com. 6000 IN A 121.100.152.218
d6991.com. 6000 IN A 121.100.152.219
d6991.com. 6000 IN A 121.100.152.220
d6991.com. 6000 IN A 121.100.152.221
d6991.com. 6000 IN A 121.100.152.222
d6991.com. 6000 IN A 121.100.152.223
d6991.com. 6000 IN A 121.100.152.224
d6991.com. 6000 IN A 121.100.152.225
d6991.com. 6000 IN A 121.100.152.226
d6991.com. 6000 IN A 121.100.152.227
d6991.com. 6000 IN A 121.100.152.228
d6991.com. 6000 IN A 121.100.152.229
d6991.com. 6000 IN A 121.100.152.230
d6991.com. 6000 IN A 121.100.152.231
d6991.com. 6000 IN A 121.100.152.232
d6991.com. 6000 IN A 121.100.152.233
d6991.com. 6000 IN A 121.100.152.234
d6991.com. 6000 IN A 121.100.152.235
d6991.com. 6000 IN A 121.100.152.236
d6991.com. 6000 IN A 121.100.152.237
d6991.com. 6000 IN A 121.100.152.238
d6991.com. 6000 IN A 121.100.152.239
d6991.com. 6000 IN A 121.100.152.240
d6991.com. 6000 IN A 121.100.152.241
d6991.com. 6000 IN A 121.100.152.242
d6991.com. 6000 IN A 121.100.152.243
d6991.com. 6000 IN A 121.100.152.244
d6991.com. 6000 IN A 121.100.152.245
d6991.com. 6000 IN A 121.100.152.246
d6991.com. 6000 IN A 121.100.152.247
d6991.com. 6000 IN A 121.100.152.248
d6991.com. 6000 IN A 121.100.152.249
d6991.com. 6000 IN A 121.100.152.250
d6991.com. 6000 IN A 121.100.152.251
d6991.com. 6000 IN A 121.100.152.252
d6991.com. 6000 IN A 121.100.152.253
d6991.com. 6000 IN A 121.100.152.254
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 23 19:06:40 2013
;; MSG SIZE rcvd: 4123
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '121.100.128.0 - 121.100.191.255'
inetnum: 121.100.128.0 - 121.100.191.255
netname: YanYang-network
descr: Beijing Yan Yang Century Science & Technology Co., LTD
descr: 9-605 Xuhuiaodu, Lishuiqiao south, Chaoyang District, Beijing
country: CN
admin-c: ZM675-AP
tech-c: ZM676-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
status: ALLOCATED PORTABLE
changed: ipas@cnnic.net 20110610
source: APNIC
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20110428
source: APNIC
person: Yanqing Xiao
address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District
address: Beijing, China, 100012
country: CN
phone: +86-18600090096
fax-no: +86-010- 59456518
e-mail: xiaoyanqingvp@126.com
nic-hdl: ZM675-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net 20110609
source: APNIC
person: Jian Zhou
address: 9-605 Xuhuiaodu. Lishuiqiao south Chaoyang District
address: Beijing, China, 100012
country: CN
phone: +86-18611086106
fax-no: +86-010- 59456518
e-mail: sxbjzj@163.com
nic-hdl: ZM676-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net 20110609
source: APNIC
% Information related to '121.100.128.0/19AS4837'
route: 121.100.128.0/19
descr: CNC Group CHINA169 Shan1xi Province Network
descr: Addresses from CNNIC
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060926
source: APNIC
% This query was served by the APNIC Whois Service version 1.68 (WHOIS3)
- ferg
Could be DNS packet tunneling to China, bad news.
https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
That is a problem, but I'm seeing a lot of queries from residential
users for what seems to me an obscure name hostied in Asia. I'm
guessing some kind of bot traffic...
-chris
They may be open recursors being leveraged for DNS reflection/amplification DDoS (many CPE devices are broken this way). Check some of the CPEs to see if they're open recursors:
Once upon a time, Chris Hunt <dharmachris@gmail.com> said:
That is a problem, but I'm seeing a lot of queries from residential
users for what seems to me an obscure name hostied in Asia. I'm
guessing some kind of bot traffic...
Any of the affected users have open resolvers (on DSL routers for
example)?
I've heard estimates (from others that have looked at the OpenResovlerProject.org data) around 90% of resolvers are CPE devices that respond to queries on the WAN interface.
- Jared
Well,
There is a lot of those popping up in the past 6 months.
I'm still running bindguard 0.71 and caught about 1300 targets of
reflection DDoS in the past 24h.
Beside using ". IN ANY" a lot are using "isc.org IN ANY" and some
more that I won't list here =D
Which should be pretty easy to track down the domain build for the
purpose of DNS DDoS, Just saying...
It's DNS reflection attack noise:
http://dnsamplificationattacks.blogspot.com/2013/09/domain-d6991com.html
This is a good blog for observing the domains and frequent correlation of items in whois and other traits that indicate much of this is done by the same actors.
It's DNS reflection attack noise:
DNS Amplification Attacks Observer: Domain: d6991.com
This is a good blog for observing the domains and frequent correlation
of items in whois and other traits that indicate much of this is done by
the same actors.
Thanks for the pointer. 
- ferg