Massive DNS Amplification Attack Directed at Delta-Bank Ukraine

I don’t normally report on every DNS anomaly that I see but today I noticed that we are┬áseeing massive amounts of DNS traffic directed at 193.47.85.126. More information regarding this IP address can be found here. I noticed this attack initially earlier today while doing some routine Wireshark analysis. I noted a large number of DNS seemingly originating from 193.47.85.126 requesting ANY information for outmail.zyngamail.com. These queries initially were coming in at about 20-30 per minute. After several hours, these queries ramped up to more than 1000 per minute against a single DNS server. In this case, the source IP address is forged and is actually the IP address of the target victim.

We have rules in place that limit inbound DNS traffic and therefore were not really impacted by the traffic increase. Here is a snapshot of an hour’s worth of traffic indicating the number of DNS requests per minute over that time frame.

 

DNS Amplification Attack data 12-09-2014

DNS Amplification Attack data 12-09-2014

 

If you noticed any Internet issues today, it was likely due to slower DNS resolution due to the massive number of DNS requests generated for this attack. If you run any sort of DNS cache server, you should drop all ANY queries for outmail.zyngamail.com. As of 11:25 PM GMT, this attack is still in full swing.

Leave a Reply

Your email address will not be published. Required fields are marked *