been posting some very interesting work recently. The most recent post
presents a cursory overview of the last 30 days of DNS attack activity.
Thank you to the people over at Arbor Networks for sharing this kind of data with the community! Hard data is hard enough to get by and as long as we realize that this sample originates from a product vendor, it is better than not having any information at all. Very informative and worth the read.
When analyzing single packet DNS version queries (i.e., in order to generate lists of vulnerable or immune servers) targeting ATLAS sensor IPs (millions of unique IPv4 addresses distributed globally) we saw a 49.8% increase in the past 30 days over the prior 30 days. While UDP/53 traffic doesn't represent a considerable amount of the total activity observed by our darknet sensors, the version queries themselves represent ~87% of all UDP/53 traffic we receive on our ATLAS sensors. These queries are targeting IPs that have no valid resolvers or authoritative DNS servers, or legitimate hosts, for that matter, so it's either misconfigured or malicious traffic, and most likely the latter. While much of this "malicious" traffic is likely vulnerable DNS server "census" queries from research types, a good bit of it is likely attributed to miscreant reconnaissance as well.