Weekly web security warning – a busy weekend

Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA’s D-Zone DNS Firewall.

This week’s big winner was a spambot using a random character .ru domain and unlike past weeks, the pattern was different. On the weekend, typically the usual number of blocked domains falls as users tend to be more offline, at least from the networked computers. However this week, there was a huge spike in the number of unique domains blocked that peaked at just over 4,900 on Saturday, May 5^th. We aren’t charting this here, but traffic returned to more normal quieter weekend patterns on the 6^th.

In terms of the rest of the top blocked domains, we see a couple of non-resolving domains like buysellstops.com and underpants.online that are using WHOIS privacy. We also see the usual cadre of randomized domains.

And finally, we noted a spike in DNS amplification traffic this week that peaked on May 3^rd.These are queries designed to get a response that is larger than the query and generally used for DDoS attacks on a third party.

On our end, we rate limit responses to these types of queries to sink them before they can cause slowdowns to ours, or the targets systems.