DNS Abuse?

Fri Jan 13 19:17:00 PST 2006

 All,

 I've been seeing a couple of oddities on my little IDSL home network
 in the last few days and I'm wondering if they represent some creative
 new form of DNS abuse.

 The short form is that I'll see increasing network lag and find that
 two hosts out on the net are sending a number of DNS requests per
 second asking about e.tn.co.za.

 This continues across both my nameserver IP addresses (which are
 actually currently both IP aliases to one Debian/UltraSPARC system 
 [slaps own wrist for being a bad admin and mutters about how 
 cobbler's children are shod]). THis goes on for hours at a time --- 
 and seems to slowly increase in bandwidth load over time.

 The first of these that I noticed involved two hosts:

    mail.samurai.fm (apparently the mail server for some Japanese
        Internet radio station)
    server2.unitedservers.de (apparently a German virtual hosting
        or colo service)

 At first I wasn't running any tools at all (haven't been needing them
 at home since my last workstation re-image).   So first I installed
 a copy of etherape; that's a GUI that shows a star graphic of where
 traffic is coming and going in one window (hosts are points on a ring
 around the edges, and traffic appears as lines crossing the middle,
 colors differentiate top protocols, and thickness for relative
 bandwidth utilization; another window shows a table of traffic types
 and counts, updated in real-time, like a little tachometer, and lets
 me sort them by various criteria).

 It was obvious that I was getting hammered with DNS requests and
 UDP fragments.  (sustained loads of ~270Kbps UDP fragments, and 
 ~170Kbps in DNS traffic on an IDSL line that's nominally only
 144Kbps --- perhaps the tool's metrics are off, but my pipe was
 definitely full).

 So I shutdown my DNS server.  All the UDP fragments disappeared,
 and the DNS dropped to around 15Kbps --- and there now appeared
 about 10Kbps of ICMP traffic (port unreachable, of course).

 So this represented the incoming DNS; but there were some port
 scan and other traffic (normal background radiation these days)
 that were preventing me from isolating the perpetrators.  Also
 this didn't look like an effective attack (various host integrity
 tests on the UltraSPARC and a couple of other systems around the
 house were all clean, including the latest chkrootkit and rkhunter
 versions from Debian).

 Anyway, I installed snort and nstreams and started capturing
 some information for analysis.  Then I spotted the two machines
 that had been there for a long time (after the alleged nameserver
 in Russia finished scanning me).

 I restarted my named and watch while the ICMP traffic immediately
 disappeard (as one would expect) and the DNS draffic immediately
 doubled.  Then over the course of an hour or so it slowly climbed
 to ~50-60Kbps.

 So now I just did: iptables -A -s $BADHOST -j DROP for each of
 the two culprits; did traceroutes on them and sent mail to the abuse@,
 support@, kontakt@ (for the one that listed a contact at their
 website), hostmaster and postmaster@ for both domains and for their
 next hop transit providers (and copied my ISP's support@ as an FYI).

 The incoming DNS traffic persisted for a couple hours at the 15Kbps
 level.  (Though, it was no longer costing me any return traffic ---
 'cause DROP means don't even send them ICMP) :)

 I also spent time Googling and talking over IRC (freenode, in the 
 #snort channel) to see if I could identify this as any sort of known
 attack.  Basically I'd like to put a name to it and/or figure out
 what these bozos are up to.  I also reviewed my DNS configuration
 (I only would recursive lookups for "friends" --- an ACL that's
 defined to include my netblocks and those of the various people
 for him we provide secondary DNS service).  zone xfers are similarly
 locked down, of course.

 (I also actually did some work during this time --- now that my
 VPN connection was usable again).

 Then off to bed.

 Today (after my dentist's appointment --- temporary crown for the one
 rear molar --- the gold crown will be ready in two weeks) I noticed
 a new pair of culprits.  I left my etherape main graphic window up
 on a virtual desktop of my laptop and I've been using it as a sort
 of screen saver. It's kinda cool and isn't costing enough
 performance to bother me; even on this old 500Mhz/256MB laptop

 Our new "guests" are:

     h-68-166-138-83.nycmny83.covad.net  68.166.138.83

 and:

    c-24-60-193-83.hsd1.ma.comcast.net 24.60.193.83 

 This was similar to the previous pair in that it was taking up
 ~15Kbps of DNS traffic.  I suspect the other event started like
 this and slowly continued until it got bad enough for me to see it.

 This time I immediately started a capture process with:

    tcpdump -n -v -v -v -w /tmp/wtf.tcpdump host $A or host $B

 (after having set $A and $B with =$(dig +short ...) commands)

 I let that run for a couple thousand packets captured in a
 few minutes ... and left it running while I added a couple more
 packet filter rules.  After about five minutes or so the two
 disappeared.  So I've stopped the capture and done a few little
 cuts at the data to see what's there.

 That's when the e.tn.co.za. name popped out at me.  It's in every
 request from both of them.

 Summary:

 I don't have any hard conclusions.  I don't know what they're doing,
 but I'm sure it's bad.  The fact that they appear two at a time make
 me wonder if someone is somehow tricking my BIND9 named into being
 a reflector of some sort --- like two people behind firewalls using
 my DNS as some sort of relay?  However, a statistic sample of two
 events and four hosts isn't compelling.  I could see that someone
 could be somehow preloading my DNS cache with one request and then
 another could be testing whether my cache was warm to that request
 (something like what Dan Kaminsky has talked about at LISA?)

 If they were making various DIFFERENT requests especially for MX
 records I'd suspet they might be spam cannon zombies that were trying
 to obscure their DNS footprints in some way; but 1100 queries for
 e.tn.co.za doesn't sound like it'd be useful for e-mail spam.

 I haven't gathered more raw data from these yet and I'm near the
 edge of my technical expertise at this point.  So I'd have to invest
 alot more time to delve into this further (time which I really don't
 have right now).

 So, I put the question to the community:

    What the heck are these?  Are there any good tools (snort rules
    etc) to detect them and automatically respond to them?  

    (Naturally I don't want my dynamically generated packet filter 
    rules to accumulate and block legitimate, innocent, dynamic IP 
    addresses indefinitely.  The rules I've put in here will be there 
    for a couple days then I'll flush them).

-- 
Jim Dennis