DNS Amplification Attack Against Scalable DNS

This morning I noticed a large number of the following DNS queries:

Source: 23.245.180.16
Query: sunrisecx.com
Type: A

These queries were arriving at a constant rate of 5000 per minute (83.33 per second). The source IP did not vary. I looked up the indicated source IP. The IP is assinged to¬†Enzu Inc. The IP reverse lookup indicates that the IP resolves to rdns.scalabledns.com. Attempts to reach Scalable DNS reached a Web site that indicated “Updates coming shortly.”

This is clearly an attack directed against Scalable DNS. The attack was “primed” or tested at 6:57 PM CDT on Saturday, March 28th and began full force at 7:43 PM CDT. The attack is ongoing at the time of this post. If you run an open DNS service, you should drop or rate limit A and ANY queries for sunrisecx.com.

DNS Attack Timeline

The image above shows the timeline of the attack.

Leave a Reply

Your email address will not be published. Required fields are marked *