Botnet Queries to MXes against cache
Peter Dambier
peter at peter-dambier.de
Mon Sep 8 19:33:22 UTC 2008
Hi Dan,
why should they query you?
Do you run a resolver?
If they are querying a wordbook out of your stomach
they might send the answers just as well - trying
to poison your cache.
They are after google and googlemail.
I guess they want to capture your clients emails or passwords for
their email accounts. Harvesting email accounts for spamming.
Maybe they want to capture their browsers as well - tricking
people to install ratware.
The bot querying need not be the same as the bots sending faked
answers.
Kind regards
Peter
Gushi wrote:
> This isn't a request for help so much as a story for anyone else who's
> seeing similar things:
>
> Okay,
>
> I have logwatch set up on my cobalt raq3.
>
> Logwatch is cool. It emails you everything in the logfiles, you define
> great regular expressions as to what's harmless noise, and keep going
> till it's only the critical stuff that you get.
>
> I just got a mail FULL of the following:
>
> client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1
> Time(s)
> client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
> Time(s)
> client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied:
> 1 Time(s)
> client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
> Time(s)
> client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
>
> So after I dig around for a bit (no pun intended), I realize.
>
> What I'm looking at is a whole bunch of terribly broken DNS
> implementations. DNS implementations that bypass a host's DNS entry,
> and directly query ME instead of looking something up directly.
>
> All the domains above are A records (address records) that are pointed
> to by MX (mail exchanger) records. I host sites that use those MXes,
> but I don't host (obviously) googlemail.com.
>
> Okay, so I know why this is happening. It's mostly harmless.
>
> My options:
>
> 1) Tune logwatch so I don't get these.
>
> 2) Tune BIND so it doesn't log these hits.
>
> 3) Use this information to feed a real-time blacklist -- it's fairly
> easy to write the parser but from the looks of it, most of these IPs
> are already on RBL's I use (spamhaus PBL, CBL).
>
> 4) Find a way (as recursive as this sounds) to block queries to my DNS
> server, based on this blacklist. I don't think BIND supports such a
> feature.
>
> Any comments?
>
> -Dan
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
http://www.peter-dambier.de/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the bind-users
mailing list