DNS amplification attack is still active: TXT records of domains for fake shopping websites using .ru ccTLD
0x00 Introduction DNS amplification attack is not a new topic. However, it is still active nowadays. These days, an active source is launching DNS amplification DDoS by leveraging multiple domains of fake shopping websites with the exact same template and querying TXT records of these domains for high amplification factors. 0x01 Features of Domain These domains are all registered under [.]ru ccTLD. For 2243 collected domains resolving to 10 neighborhood IP addresses, 2241 of them are with the format of [string]+"-"+[string]+".ru" . According to DGA guess results provided by DGArchive , 1659 of them are with Regex Guesses results of bigviktor_dga and nymaim2_dga , and 541 of them are with Regex Guesses results of bigviktor_dga only. The domains are collected by the Passive DNS Replication results of VirusTotal . 0x02 Features of Website All the websites of these domains are using the same template. The logo is the first characters of the t...