30 Days of DNS Attack Activity

When analyzing single packet DNS version queries (i.e., in order to generate lists of vulnerable or immune servers) targeting ATLAS sensor IPs (millions of unique IPv4 addresses distributed globally) we saw a 49.8% increase in the past 30 days over the prior 30 days. While UDP/53 traffic doesn’t represent a considerable amount of the total activity observed by our darknet sensors, the version queries themselves represent ~87% of all UDP/53 traffic we receive on our ATLAS sensors. These queries are targeting IPs that have no valid resolvers or authoritative DNS servers, or legitimate hosts, for that matter, so it’s either misconfigured or malicious traffic, and most likely the latter. While much of this “malicious” traffic is likely vulnerable DNS server “census” queries from research types, a good bit of it is likely attributed to miscreant reconnaissance as well. While I don’t intend to share details of the source ASNs or IPs here, you can pretty easily distinguish legitimate research efforts from potentially malicious activities with such data.