@jedisct1 @pingpingya @GetUmbrella can you see anything under good.gd.?
-
-
Replying to @ioc32
@ioc32@pingpingya Related lookups: https://gist.github.com/jedisct1/7487742/raw … - Nothing very suspicious here.1 reply 0 retweets 0 likes -
Replying to @jedisct1
@jedisct1@pingpingya thanks for the info. I couldn't find any at SANS/ISC, ShadowServer and the like. The FQDNs certainly looked like DGAs2 replies 0 retweets 0 likes -
Replying to @ioc321 reply 0 retweets 0 likes
-
Replying to @jedisct1
@jedisct1@pingpingya exactly like these. Strange, IIRC they were mostly A type queries returning NOERRORs. Will check later.1 reply 0 retweets 0 likes -
Replying to @ioc32
@ioc32@pingpingya I couldn't find any A record for these DGAs, only CNAMEs to good[.]gd and e[.]zc0[.]net1 reply 0 retweets 0 likes -
Replying to @jedisct1
@jedisct1@pingpingya judging from *DSC* stats, the flood was A/NOERROR. Can botnets "reboot"? Could that explain a 16-fold increase in qps?1 reply 0 retweets 0 likes -
Replying to @ioc32
@ioc32@pingpingya Which IP did these queries resolve to? Where are the clients located?1 reply 0 retweets 0 likes -
Replying to @jedisct1
@jedisct1@pingpingya it was an OPs day, its just now we can do some analysis. Only DSC stats atm, I should use packetq to answer properly1 reply 0 retweets 0 likes -
Replying to @ioc32
@jedisct1@pingpingya no PCAPs available to use packetq on...#hélas1 reply 0 retweets 0 likes
-
-
Replying to @jedisct1
@jedisct1@pingpingya at least, we're able to profile qr/an at a rather high level. Unfortunately detailed information is unavailable.0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.