Reply to comment:

Anonymous
Some additional analysis, which I put on the <a href="&#0109;ailto&#0058;ncc-services&#0064;ripe.net">ncc-services&#0064;ripe.net</a> and <a href="&#0109;ailto&#0058;dns-wg&#0064;ripe.net">dns-wg&#0064;ripe.net</a> mailingslists:<br /><br />This issue appears not to be related to a<br />misconfigured zone, the zone looked (and still looks) like this:<br /><br />&lt;domain&gt;.com. 7200 IN SOA ns1.&lt;nsdomain&gt;.<br />root.ns1.&lt;domain&gt;.com. 20091027 28800 600 604800 86400<br />&lt;domain&gt;.com. 300 IN A &lt;ipv4_1&gt;<br />&lt;domain&gt;.com. 300 IN A &lt;ipv4_2&gt;<br />&lt;domain&gt;.com. 7200 IN NS ns1.&lt;nsdomain&gt;.<br />&lt;domain&gt;.com. 7200 IN NS ns2.&lt;nsdomain&gt;.<br />&lt;domain&gt;.com. 7200 IN NS ns3.&lt;nsdomain&gt;.<br />&lt;domain&gt;.com. 7200 IN NS ns4.&lt;nsdomain&gt;.<br />www.&lt;domain&gt;.com. 300 IN A &lt;ipv4_1&gt;<br />www.&lt;domain&gt;.com. 300 IN A &lt;ipv4_2&gt;<br />&lt;domain&gt;.com. 7200 IN SOA ns1.&lt;nsdomain&gt;.<br />root.ns1.&lt;domain&gt;.com. 20091027 28800 600 604800 86400<br /><br />The &lt;nsdomain&gt; was a different domain, not in COM.<br />We asked folks that operate COM and they didn't see the same query-storm for this domain though. If these were all 'normal' resolvers dealing with a misconfigured zone, I'd expect them to follow the delegation chain. Also when spot-checking some 20 source IPs for these queries we didn't find these did any other queries to K-root then for things in &lt;domain&gt;.com.<br /><br />As mentioned in the article, we have several indications that this was caused by a botnet.<br /><br />It is unlikely this was a reflector attack with spoofed source addresses, as there are some 60,000 unique source IPs per hour in the queries for this specific domain. For targeted spoofing I'd would expect this number to be very low, for random spoofing I'd expect this number would be far higher.<br /><br />When looking at the query load for www.&lt;domain&gt;.com on 20110628, and before 16:28 UTC (0:28 Chinese Standard time) we have 2 queries for this domain, then it all starts:<br />#queries timestamp<br />1 1309252434<br />1 1309274472<br />8603 1309278521<br />9630 1309278522<br />11277 1309278523<br />14123 1309278524<br />12271 1309278525<br />12457 1309278526<br />12118 1309278527<br />12369 1309278528<br />12234 1309278529<br />12402 1309278530<br />12202 1309278531<br />12469 1309278532<br />12138 1309278533<br />12149 1309278534<br />... (continues to be in 10-12kps range for a while)<br /><br />So either the misconfiguration started at around 16:28 UTC, or this wasn't a misconfiguration. The third possibility, already misconfigurated+slashdotted-equivalent, I think is not impossible but unlikely,<br />both because of it being past midnight at the ASes that were a major source of queries, and the very sudden increase in load.