Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] Abnormal External DNS Patterns

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Abnormal External DNS Patterns


Chronological Thread 
  • From: "Garrett, Seth B" <>
  • To: "" <>
  • Subject: [Security-WG] Abnormal External DNS Patterns
  • Date: Mon, 4 Jun 2018 18:10:28 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:KZSOghXMpfvOEhneDw2JZpWTvqvV8LGtZVwlr6E/grcLSJyIuqrYbBSOt8tkgFKBZ4jH8fUM07OQ7/i9HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9yIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRx+34Hbb5qYO+Bicq/BZ94WWXZNUthXWidcAo28dYwPD+8ZMOpWrofyvUEOrQGgCgmwGOPj0iJDiGLo0q0m0+QqDBzL0AI9FN8Jq3Tbt9r1O70IUeCv0qbI0S7Ob/JL2Tvn9ofHbw0hrOiKULltcsTR0VEiGx7Lg1ifs4DoPjCY2v4Tv2SF8+ZsT+yih3A/pw1srTWiwt0ghpTIi44J0FzI6zh1zYYvKdC5RkN3edCkH4VTui2GMoZ7R8wvTH12tCs7z7ALuYC3czMExZkiyR7SZfOKfJKN7x/nWuadPTV1iXR4c7ylnRmy61KvyujkW8m0zllKqi1Fn8HWtnAKzBPT686HRuFg/kegxTaPzBrf6uBZIUwui6XUNoMhzqYxlpoVr0vDAjf7lFj4gaKZbEkp++ul5/75brn4upOQLYF5hh/mPqQrgMO/AOA4MgYUX2ic/OSxzKbj8lb2QLpQlP02iLfWsIzBKMQau661GRFa3Zs+6xqnFTepzMwYnWUbLFJCYB+HlJbmNE3TIPDiDPe/n1StnC5lxvDJJbDhBpTNLmPfkLf6Y7px8U9cyAwvzd9B/ZJUDK8OIO7tVkPrqtPXEwI5YESIxLOtE9h2y5kfRXPKHaCxMaXOvEWO6/51ZeSAecVd7C3wIOU/5uL/yGA2sV4bYaSz25YLMja1EukwcGuDZn+5yPgIC30HohZ6BNfnlF3Ke3QbM224UKsm/DwnIIO7S4rPW9b+0/S6wC6nE8gONSh9AVeWHCKweg==

Has anyone else seen abnormal DNS traffic patterns for UDP/TCP 53 to their external DNS servers?  Request traffic varies from 3mbps to 70mbps per instance.  That should stand out from what is considered normal port 53 traffic for most organizations/universities.

 

There appears to be a substantial effort underway to attempt to map DNS zones through legitimate DNS requests (not a DDoS DNS amplification attack).  The majority of the requests are coming from open resolvers as well.

 

Here are some of the dates that we’ve seen them.  I’d appreciate it if anyone hosting external DNS locally has time to look through their traffic data to determine if they are seeing similar patterns.  They last about 5 minutes roughly.

 

6/3

5/30

5/27

5/25

5/22

 


  • [Security-WG] Abnormal External DNS Patterns, Garrett, Seth B, 06/04/2018

Archive powered by MHonArc 2.6.19.

Top of Page