Bind dns amplification attack
Marcus Kool
marcus.kool at urlfilterdb.com
Tue Mar 28 11:07:42 UTC 2023
indeed looks like malware:
https://webcache.googleusercontent.com/search?q=cache:rNjG8Ch0VgYJ:https://the-expanse.net/%40briankrebs%40infosec.exchange/&cd=1&hl=en&ct=clnk&gl=ie
The article mentions:
stanislasarnoud[.]ru
krebson[.]ru
onthestage[.]ru
Marcus
On 28/03/2023 10:12, Ondřej Surý wrote:
> More likely, it’s a malware used to do a targeted attack rather than insecure routers.
>
> Also why not both? ;)
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 28. 3. 2023, at 10:44, Borja Marcos<borjam at sarenet.es> wrote:
>>
>>
>>
>>> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu<nyamkhand at mobinet.mn> wrote:
>>>
>>> Hello,
>>>
>>> We are having slowly increasing dns requests from our customer zones all asking mXX.krebson.ru. I think this is a DNS amplification attack.
>>> And source zones/IP addresses are different but sending same requests like below.
>> I wonder, maybe some of your customers have open recursive DNS servers themselves? Some brands of routers
>> are unfortunately easy to misconfigure.
>>
>> I must play whack-a-mole now and then.
>>
>>
>>
>>
>> Borja.
>>
>>
>> --
>> Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230328/a04cbd5e/attachment.htm>
More information about the bind-users
mailing list