[SANS ISC] Unsolicited DNS Queries, (Sat, Jul 31st)

This week I started seeing more DNS related activity being identified by Threatintel and that got me curious. While reviewing my logs, I noticed that Wednesday and Thursday had an unusual spike for many inbound unsolicited DNS queries for the domain census.gov.

Wednesday and Thursday, in a period of 24 hours, a total of 1606 queries was received for domain census.gov. The two IPs 37.49.230.173 (1335 requests) was the first set of inbound DNS queries followed by IP 162.253.128.82 (271 requests). IP 162.253.128.82 also sent 272 requests for domain pizzaseo.com yesterday. DNS amplification attack?

There used to be a time when seeing unsolicited queries to identify vulnerable DNS Bind version was very common. A review of my logs for the month of July contained many other domains including various combination of VERSION.BIND (upper/lower case). This is the top 15 DNS questions asked for this month with the top Threatintel associated with the IPs asking the query:

Indicators – Top 10 IPs

37.49.230.173 -> census.gov, sl
162.253.128.82 -> census.gov, pizzaseo.com, sl
185.53.90.85 -> VERSION.BIND, sl
122.5.207.27
45.61.185.201
37.49.229.228
88.80.186.137
207.244.251.235
209.141.59.224
89.248.165.164

Have you noticed an increase in unsolicited DNS queries?

[1] https://www.abuseipdb.com/check/37.49.230.173
[2] https://www.abuseipdb.com/check/162.253.128.82
[3] https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
[4] https://us-cert.cisa.gov/ncas/alerts/TA13-088A

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] Atom Silo ransomware operators target vulnerable Confluence servers

All posts, ZDNet

A weaponized exploit used by the cybercriminals was only disclosed in August. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2021-05-08

Largest U.S. pipeline shuts down operations after ransomware attack www.bleepingcomputer.com/news/security/largest-us-pipeline-shuts-down-operations-after-ransomware-attack/ Colonial Pipeline, the largest fuel pipeline in the United States, has shut down operations after suffering what is reported to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries located in the Gulf Coast and markets throughout the southern and eastern United […]

Read More

Daily NCSC-FI news followup 2020-07-14

Microsoft July 2020 Patch Tuesday: 123 vulnerabilities, 18 Critical! www.bleepingcomputer.com/news/microsoft/microsoft-july-2020-patch-tuesday-123-vulnerabilities-18-critical/ This Patch Tuesday is the second-largest update ever, with the largest one being issued in June 2020 with 129 fixes. 17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers thehackernews.com/2020/07/windows-dns-server-hacking.html Microsoft patched today a new highly critical “wormable” vulnerability – – carrying a severity score […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.