Today > vulnerabilities   -   You can now download lists of IOCs here!

Suspicious DNS Probing Operation Amplified

June 6, 2024, 8:07 a.m.

Tags
dns
2024-06-06
reconnaissance
amplification
probing
open resolvers
External References
Description

This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open DNS resolvers. The probes utilize selective wildcard responses, returning random IP addresses that inadvertently trigger amplification by Palo Alto's Cortex Xpanse product, polluting passive DNS data sources. This amplification hinders analysis of malicious activity and imposes resource burdens on networks worldwide.

Date

Published: June 6, 2024, 7:41 a.m.

Created: June 6, 2024, 7:41 a.m.

Modified: June 6, 2024, 8:07 a.m.

Indicators

https://research.openresolve.rs/

test.l.secshow.net

research.openresolve.rs

query-maxttl.l-httl.secshow.net

main.research.openresolve.rs

202404111-40-query-timeout.l-time.secshow.net

f.sechow.online

bailiwick.secshow.net

202404111-40-ans-timeout.l-time.secshow.net

victim.fit

secdns.site

savme.xyz

nameserver.fit

prey.fit

bai1du.com

attacker.fit

afusdnfysbsf.com

Download all indicators here!

Attack Patterns

Secshow

T1584.002

T1584.003

T1583.002

T1584.004

T1584.001

T1583.001

T1583.004

T1583.003