Lately DNS Amplification DDoS Attacks have drawn a lot of attention. Especially since CloudFlare dedicated several blog posts to them (here and here), and the StopHaus movement almost broke the internet with it.
DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.
Statistics
To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed:
Obviously "isc.org in any +ed" is clearly the most used record, not much creativity there. By sending a very small "dig ANY isc.org @dns-host" you'll get a big response directly going to the target of 3433 bytes:
DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.
Statistics
To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed:
isc.org in any +ed 1158923 . in any +e 39651 version.bind ch txt + 405 ripe.net in any +e 125 directedat.asia in any +e 55 . in type256 +e 50 169a41e5.openresolverproject.org in a + 11 www.google.com in a + 10 dnsscan.shadowserver.org in a + 6 nukes.directedat.asia in a +e 6 isc.org in any + 5 amazon.com in a + 5 directedat.asia in a +e 4 isc.org in any +e 4 google.com in a +ed 3 mydnsscan.us in any +e 3 ripe.net in any + 3 . in any + 2 nukes.directedat.asia in any +e 2 ddostheinter.net in a +e 2 ya.ru in a + 2 ddostheinter.net in any +e 2 directedat.asia in a + 2 nasa.gov in any + 2 77bytelee.co.uk in txt +e 1 a1607665836p49394i23167.d2013052812000114314.t6014 1 google.com in a +e 1 ripe.net in any +ed 1 google.com in a + 1 www.ru in a + 1
| A list of targetted hosts can be found here. Who's behind this? |
root@ubuntu:~# dig ANY isc.org @8.8.8.8
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.1-P1 <<>> ANY isc.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; QUESTION SECTION:
;isc.org. IN ANY
;; ANSWER SECTION:
isc.org. 7200 IN RRSIG SPF 5 2 7200 20130719232951 20130619232951 50012 isc.org. Q8n5F9ZucnRaYw762EghVeq9NLLFN4tuAvJZTue/spQJUnRKcM5WuwR4 F8FuEh55EbIs5YxnrG2LbDmEJDOBh0aER+lE6Ts8TdCyZoTVylSf0kmr tmzf0r80Q5xBOdPMfsSARNxWrFDQr03r69IU0Lsp4EbneiM6wIiI7oyJ bz0=
isc.org. 7200 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org. 3600 IN RRSIG NSEC 5 2 3600 20130719232951 20130619232951 50012 isc.org.
...
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 23 23:56:27 2013
;; MSG SIZE rcvd: 3433
pastebin: http://pastebin.com/mWQXYNQB
But as we look closer several domains are of more interest, especially the names of these five draw attention:
directedat.asia: http://pastebin.com/wxF2EQq9
nukes.directedat.asia: http://pastebin.com/m6x6RMAU 8235 bytes
ddostheinter.net: -
mydnsscan.us: http://pastebin.com/mSTL4tZG 20714 bytes
dd0s.asia: http://pastebin.com/Jcxrq8wQ 2538 bytes
As can be spotted pretty quickly, the size and content of in particular mydnsscan.us easily highlight malicious purposes.
If we look at the name servers used we'll see the following:
mydnsscan.us
ns1.mydnsscan.us -
ns2.mydnsscan.us 188.122.91.99
ns3.mydnsscan.us 188.122.91.99
ns4.mydnsscan.us -
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226
directedat.asia
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226
dd0s.asia
ns1.dd0s.asia 74.91.18.226
ns2.dd0s.asia 74.91.18.226
These 3 domains have one corresponding IP address which links them together.
IP address 188.122.91.99 is of particular interest as it runs an fbi.gov IRC server, w00t w00t!
Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter, apidown.com, var-dev.com, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].
Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.
ps. I'm setting up a website which shows ongoing attacks realtime. Anyone willing to voluntarily contribute can contact me. Shoutout to @DnsSmurf who's doing similair things.
But as we look closer several domains are of more interest, especially the names of these five draw attention:
directedat.asia: http://pastebin.com/wxF2EQq9
nukes.directedat.asia: http://pastebin.com/m6x6RMAU 8235 bytes
ddostheinter.net: -
mydnsscan.us: http://pastebin.com/mSTL4tZG 20714 bytes
dd0s.asia: http://pastebin.com/Jcxrq8wQ 2538 bytes
As can be spotted pretty quickly, the size and content of in particular mydnsscan.us easily highlight malicious purposes.
If we look at the name servers used we'll see the following:
mydnsscan.us
ns1.mydnsscan.us -
ns2.mydnsscan.us 188.122.91.99
ns3.mydnsscan.us 188.122.91.99
ns4.mydnsscan.us -
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226
directedat.asia
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226
dd0s.asia
ns1.dd0s.asia 74.91.18.226
ns2.dd0s.asia 74.91.18.226
These 3 domains have one corresponding IP address which links them together.
IP address 188.122.91.99 is of particular interest as it runs an fbi.gov IRC server, w00t w00t!
Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter, apidown.com, var-dev.com, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].
Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.
ps. I'm setting up a website which shows ongoing attacks realtime. Anyone willing to voluntarily contribute can contact me. Shoutout to @DnsSmurf who's doing similair things.
Could you please add me on skype or contact me with my email:
BeantwoordenVerwijderend12dnt901@Safe-mail.net
skype: jenny.dematteo
Hi Everyone!
VerwijderenWe have USA fresh & Verified SSN Leads with best connectivity score
All info checked & genuine
Info in LEADS
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
LIMITED DATA AVAILABLE
->Hope for the long term deal
->Interested buyers contact me fast
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
this is just sad, hiding behind 7 proxies is just childs play, and hackdorums is filled with a bunch of skids. Leakforums is the only site you actually got right.
BeantwoordenVerwijderen^^^ agreed
BeantwoordenVerwijderenYou don't get a big response using UDP, which is what a DNS resolver or stub resolver does first. You get a tiny response, which is actually smaller than the question itself, and that says "please try again using TCP"
BeantwoordenVerwijderenYour dig command clearly shows that dig retried using TCP.
This makes a big difference. TCP is much harder to spoof than UDP. Because of this, TCP is not used for DDoS attacks using DNS amplification. And this is how rate-limitation has been implemented in modern DNS servers. This mitigates amplification while not breaking legitimate clients.
Most DNS resolvers will not send a reply using UDP that is larger than 4096 bytes. Google intentionally reduced this limit down to 512 bytes. While scanning a large number of open resolvers, I could only find one service (that fixed this vulnerability since) accepting to send responses up to 16384 bytes (!) over UDP. Maybe these large records were specially crafted to abuse this service, as they were pretty much useless everywhere else.
Happy Childrens Day 2015
BeantwoordenVerwijderenChildrens Day 2015
Happy Childrens Day
Childrens Day Speech
Happy Childrens Day 2015 Speech
Happy Childrens Day 2015 Quotes
Happy Childrens Day 2015 Wishes
Happy Childrens Day 2015 Images
Happy Childrens day 2015 Sms
Happy Childrens day 2015 Songs
Muharram 2015 Images
BeantwoordenVerwijderenMuharram 2015
10 Muharram 2015
9th Muharram 2015
Muharram 2015 Matam Videos
Muharram 2015 Sms
Muharram 2015 Wishes
Muharram Fasting 9th 10th 2015
Muharram 2015 Karbala Sms
10 Muharram 2015 Greeting Cards
Muharram 2015 ?Greetings cards
10 Muharram 2015 Ashura Zanjeer Talwar Juloos Matam Video
Muharram 2015 Matam
Muharram 2015 fasting Schedule
Muharram 2015 Images
Muharram fasting 9th 10th
Muharram 2015 fasting virtues
Muharram 2015 fasting benefits
Muharram 2015 Wishes
Muharram 2015 Quotes
Muharram 2015 Dua Messages
Thanks for sharing informative blog.. please visit once at http://ddoscube.com/
BeantwoordenVerwijderenI've used Kaspersky Anti virus for a couple of years now, and I recommend this anti virus to everyone.
BeantwoordenVerwijderenOver at Bonus Bitcoin you can recieve faucet bitcoins. 300 to 5,000 satoshis every 15 minutes.
BeantwoordenVerwijderenChildren's Day in India Children’s Day 2018 will be celebrated at Wednesday, on 14th of November. ... 14th of November (birthday of Pandit Jawaharlal Nehru) has been set to celebrate as children’s day all over the India. ... The birthday of Chacha Nehru, a great Indian leader, is celebrated as Children’s ...
BeantwoordenVerwijderenStrong Women Quotes
thanks..
BeantwoordenVerwijderenmotivational quotes for students
Norton Customer Service phone number
BeantwoordenVerwijderenMcAfee contact number
Malwarebytes support
Hp printer support for mac
Canon printer technical support phone number
Good work. thank you for such kind of great information. For More
BeantwoordenVerwijderenIt is very useful information. Thank you. For more information related to this Click here
BeantwoordenVerwijderenclick here to check
BeantwoordenVerwijderenvisit here
click here to see
wow ! What a great content! I found your blog on google and loved reading it greatly. It is a great post indeed. Much obliged to you and good fortunes. keep sharing.
BeantwoordenVerwijderenwhatsapp status quotes
Thank you for sharing your expertise. This post is very helpful.
BeantwoordenVerwijderenjokes in hindi
Love whatsapp status
BeantwoordenVerwijderenMahakal Attitude Statu
Top Whatsapp Status
Are you looking for Best Eid Wishing Status
BeantwoordenVerwijderenthe best instagram captions, bios, and photos to post?. Then here are the complete list about all the blast. You will love these quotes.
best Instagram Captions
great post... i always come for read your post because of your content. keep posting
BeantwoordenVerwijderenBest Inspirational Quotes ,
Respect Women Quotes
wow ! great post... i always come for read your post because of your content. keep posting
BeantwoordenVerwijderenRespect Women Quotes,
best letterkenny Quotes,
best girly quotes,
best motivational quotes,
high attitude quotes for girls
Genuine Trust Status
BeantwoordenVerwijderenGood Evening Status
Nice Status in English
Hayat Murat Whatsapp Status
Best Mothers Day Whatsapp Status
Best Lord Shri Krishna Status
Best Peace Quotes
Status for Lover
Best Hindi Quotes
Hi Everyone!
BeantwoordenVerwijderenWe have USA fresh & Verified SSN Leads with best connectivity score
All info checked & genuine
Info in LEADS
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
LIMITED DATA AVAILABLE
->Hope for the long term deal
->Interested buyers contact me fast
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Hey Guys !
BeantwoordenVerwijderenUSA Fresh & Verified SSN Leads along with DL Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Hello Everyone !
BeantwoordenVerwijderenUSA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.
All SSN's are Tested & Verified.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers
->Hope for the long term business
->You can buy for your specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Epson error code 0x97
BeantwoordenVerwijderen**SELLING SSN+DOB FULLZ**
BeantwoordenVerwijderenCONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
>>1$ each without DL/ID number
>>2$ each with DL
>>5$ each for premium (also included relative info)
*Will reduce price if buying in bulk
*Hope for a long term business
FORMAT OF LEADS/FULLZ/PROS
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->COMPLETE ADDRESS
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYMENT DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
>Fresh Leads for tax returns & w-2 form filling
>Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY
''OTHER GADGETS PROVIDING''
>SSN+DOB Fullz
>CC with CVV
>Photo ID's
>Dead Fullz
>Carding Tutorials
>Hacking Tutorials
>SMTP Linux Root
>DUMPS with pins track 1 and 2
>Sock Tools
>Server I.P's
>HQ Emails with passwords
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
THANK You
"This is really interesting, you are such a great blogger. Visit Royal Digitech for creative and professional website design and Digital Marketing in Sirsa
BeantwoordenVerwijderenand Also get Digital Marketing Course in Sirsa
"
"Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agian
BeantwoordenVerwijderenFree Classified in India"
Express VPN Crack Download : now it’s in trending VPN which allows you to entry internet with very security and surf anonymously is actually a rather popular VPN software, and that's utilized by tens of millions of buyers online to hide their identification and surf anonymously. https://freeprosoftz.com/express-vpn-pro-serial-key-full-crack/
BeantwoordenVerwijderenbytefence-license-key-freethe ability to guard purchaser PC from more noteworthy the shiny new sorts of danger on the netting in adding to likewise the internet, in short client word no need to brood concerning your home PC security in hatred to illness and hack or and so on
BeantwoordenVerwijderenWow, amazing block structure! How long
BeantwoordenVerwijderenHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
vstpatch.net
Corel PaintShop Pro Crack
Resolume Arena Crack
Express VPN Crack
MacBooster Crack
Vocal Finalizer Crack
On the Internet, I was overjoyed to discover this establishment.
BeantwoordenVerwijderenThis was a fantastic read, and I owe it to you at least once.
It piqued my interest a little, and you were kind enough to keep it.
Become a fan of a new item on your site.
driver talent crack
coolmuster pdf creator pro crack
wondershare uniconverter crack
avs video converter crack
BeantwoordenVerwijderenI like your all post. You Have Done really good Work On This Site. Thank you For The Information You provided. It helps Ma a Lot.
it Is Very Informative Thanks For Sharing. I have also Paid This sharing. I am ImPressed For With your Post Because This post is very beneficial for me and provides new knowledge to me. This is a cleverly written article. Good work with the hard work you have done I appreciate your work thanks for sharing it. It Is a very Wounder Full Post.
pdf replacer pro crack
pdf replacer pro crack
pdf replacer pro crack
pdf replacer pro crack
pdf replacer pro crack
pdf replacer pro crack
Your writing and structure have greatly impressed me.
BeantwoordenVerwijderenblog Was this something you purchased, or did you make the changes yourself?
Whatever the situation may be, the most important thing is to listen to new music with high-quality lyrics.
It's rare to come across a blog of this calibre today.
xilisoft video converter ultimate crack
train simulator free game mod apk
amazing dr recovery crack
cyber ghost crack
euro truck simulator crack
aiseesoft video converter crack
driverpack solution crack
decipher backup browser crack
Hello! Please know how much I enjoy your site and how much I look forward to the new content you offer.
BeantwoordenVerwijderenWhich of your blog posts should I pay attention to?
Inquiring minds are invited to share their knowledge of other online resources that could be of interest to me.
That's really kind of you.
cyberlink photodirector 8 crack
cyberlink photodirector 8 crack
far cry primal 6 crack
blackmagic fusion crack
wHello! Please know how much I enjoy your site and how much I look forward to the new content you offer.
BeantwoordenVerwijderenWhich of your blog posts should I pay attention to?
Inquiring minds are invited to share their knowledge of other online resources that could be of interest to me.
That's really kind of you.
avira internet security suite crack
coreldraw graphics suite 2017 crack
windows 7 home basic crack
avast premier crack
easeus data recovery wizard pro crack
Hi! Please know how much I appreciate your site and how much I look forward to the new content you provide.
BeantwoordenVerwijderenFor which of your blog posts do I have to pay?
Interested parties are encouraged to share their knowledge of other online services that may be of interest to me.
It's really you.
bandicam crac
ableton live 10 crack
windows 7 starter crack
adobe acrobat pro dc crack
cyberghost vpn crack
BeantwoordenVerwijderenI’ve been surfing on the web more than 3 hours today, yet I never found any stunning article like yours.
It’s alluringly worth for me.
As I would see it, if all web proprietors and bloggers made puzzling substance as you did.
the net will be in a general sense more beneficial than at whatever point in late memory.
teamviewer crack
abelssoft bankingbrowser crack
kms 2038 digital online crack
amolto call recorder premium crack
windows password recovery crack
Really great information.. I Found these post helpful.. Game Khelo Paisa Jeeto
BeantwoordenVerwijderenDream11 Se Paise Kaise Kamaye
Paise Wala Game
Paisa Kamane Wala App
I found this article useful
BeantwoordenVerwijderenDream11 App Se Paise Kaise Kamaye
Mobile Se Paise Kaise Kamaye
This information is very useful for me. Thank you. For more details
BeantwoordenVerwijderenQuotes Shop
Deze reactie is verwijderd door de auteur.
BeantwoordenVerwijderenThis information is very useful for me FACEBOOK
BeantwoordenVerwijderenHOW TO CHOOSE A GOOD BRAND
BeantwoordenVerwijderenBrand History: Research the brand's history and how long it has been in the market.
Established brands often have a proven track record.
Customer Reviews: Check online reviews and ratings on platforms
like Amazon, Google, or specialized forums.
Word of Mouth: Ask friends, family, or colleagues
for their experiences with the brand.
Best Brands in India