The beginning of the article you can read in Part I and Part II.
Results
Just for the first week my server received 416k requests for 63 domains from 1169 IPs. Â During 5 months (3 months it was open) it received about 46 millions requests. Below you can see the graph for the first week.
How fast will my DNS server receive first recursive query
My DNS received first recursive request from China only after 1 hour 20 minutes (domain: www.google.it). I’ve checked log-files and found that my server periodically received such recursive requests before. So attackers periodically scan networks and search for new vulnerable devices.
How fast will it receive inappropriate requests
First DNS-amplification attack was fixed after 1 day (domain: webpanel.sk, 300 requests).
Measure medium and maximum QPS under attack
Maximum QPS is limited only by server capacity. The maximum QPS was 3080 during the study. All requests were sent with amplification. So at this moment my server utilized about 96Mb/s (3080X4Kb =96Mb/s).
The graph, which you can see below, was produced in my analytical system. It shows maximum QPS.
Find victims and infected networks
I’m sure that 99% of requests were spoofed and used for DrDoS attacks. Some domains (doleta.gov, energystar.gov, ebay.de) were used for attacks and were under attack at the same time . Below you can see details about attacked countries and cities. Information about countries and cities was extracted from MaxMind IP GEO database.
In table below you can find details about attacked companies. This information was extracted from Whois service and RIPE database.
The most interesting rows in the table are “Time Warner Cable Internet LLC”, “Akamai Technologies, Inc.” and “AT&T Internet Services”. The quantity of the requests is relatively small but the quantity of the IP-addresses is very high. It can mean that the networks of these organizations were infected with a malware or/and a botnet.
| Country | Company | Q-ty requests | Q-ty IPs |
| United States | SoftLayer Technologies Inc. | 3965202 | 36 |
| United States | SingleHop, Inc. | 2617987 | 27 |
| United States | PSINet, Inc. | 1994461 | 22 |
| France | OVH SAS | 1051080 | 304 |
| United Kingdom | Hosting Services Inc | 938367 | 4 |
| Germany | 1&1 Internet AG | 761020 | 12 |
| United States | PrivateSystems Networks | 748641 | 4 |
| Russian Federation | OJSC Rostelecom Ticket 09-39331, RISS 15440, UrF | 687028 | 1 |
| United States | Time Warner Cable Internet LLC | 671211 | 1568 |
| Canada | OVH Hosting, Inc. | 592920 | 213 |
| United States | Akamai Technologies, Inc. | 176327 | 4410 |
| China | China Telecom | 51565 | 207 |
| United States | AT&T Internet Services | 27502 | 854 |
Find out domains and requests which are used for attacks
Attackers used about 15 different domains. So it is relatively simple to identify and block such domains. Information about domains and requests are available in table below.
| Domain | Query | Flags | Q-ty requests |
| webpanel.sk | ANY | +E | 14962032 |
| oggr.ru | ANY | +E | 8300693 |
| energystar.gov | ANY | +E | 6676350 |
| doleta.gov | ANY | +E | 6326853 |
| 067.cz | ANY | +E | 2463053 |
| sema.cz | ANY | +E | 1251206 |
| GUESSINFOSYS.COM | ANY | +E | 690320 |
| jerusalem.netfirms.com | ANY | +E | 587534 |
| paypal.de | ANY | +E | 454756 |
| nlhosting.nl | ANY | +E | 414113 |
| freeinfosys.com | ANY | +E | 352233 |
| krasti.us | ANY | +E | 333806 |
| doc.gov | ANY | +E | 259248 |
| svist21.cz | ANY | +E | 231946 |
| wradish.com | ANY | +E | 117294 |
Try to identify types of the attacks
During the study I identified DrDoS, Random subdomain/Phantom domain attack, NXDOMAIN attack, protocol anomalies. A graph below clearly shows an amplification attack. Blue line is an incoming traffic and yellow is an outgoing traffic.
For DrDoS attacks “ANY” request with EDNS was used. Below you can see details about request types and used flags.
| Request | Flags | Q-ty requests |
| ANY | +E | 43500439 |
| A | -ED | 17339 |
| ANY | + | 11932 |
| A | – | 9853 |
| A | -EDC | 8956 |
| AAAA | -EDC | 4749 |
| AAAA | -ED | 4467 |
| ANY | – | 2289 |
| A | +E | 1899 |
| RRSIG | +E | 1124 |
These requests are related to Random subdomain attack (on Caching server) and NXDOMAIN attack on Authoritative (energystar.gov, doleta.gov):
- energystar.gov;
- doleta.gov;
- webpanel.sk;
- cnklipaaaaesh0000claaabbaaabfgoa;
- 2d852aba-7d5f-11e4-b763-d89d67232680.ipvm.biz.
How long my server will be used when I turn off my open resolver
When I turned off open resolver it received inappropriate requests during next 1.5 months.
Conclusions:
- Any DNS server is a cool tool for analyzing users and malware behavior
- Permanent or periodical analysis of DNS-logs can improve quality of DNS service
- A lot of requests «ANY +E» shows that your server is under an attack/participate in an attack
- Small quantity of domains may be used for attacks. You can block attacks with blacklists or DNS Firewall and decrease the load on DNS Servers and network utilization.
And in the end of the post I want to share my short video about DNS attacks. Have fun!