I don’t normally report on every DNS anomaly that I see but today I noticed that we are seeing massive amounts of DNS traffic directed at 220.127.116.11. More information regarding this IP address can be found here. I noticed this attack initially earlier today while doing some routine Wireshark analysis. I noted a large number of DNS seemingly originating from 18.104.22.168 requesting ANY information for outmail.zyngamail.com. These queries initially were coming in at about 20-30 per minute. After several hours, these queries ramped up to more than 1000 per minute against a single DNS server. In this case, the source IP address is forged and is actually the IP address of the target victim.
We have rules in place that limit inbound DNS traffic and therefore were not really impacted by the traffic increase. Here is a snapshot of an hour’s worth of traffic indicating the number of DNS requests per minute over that time frame.
If you noticed any Internet issues today, it was likely due to slower DNS resolution due to the massive number of DNS requests generated for this attack. If you run any sort of DNS cache server, you should drop all ANY queries for outmail.zyngamail.com. As of 11:25 PM GMT, this attack is still in full swing.