Secshow.net

Hi @ade.reza , @amjadkhan ,

Can you shared a screenshot of the detailed log view? 

Hello all,

I have the same problem, any updates ?

Same problem here also. The other strange part is, that they typically occur from one of my external IP's going to another of my external IP's. 

   Domain Name: SECSHOW.NET
   Registry Domain ID: 2793806009_DOMAIN_NET-VRSN
   Registrar WHOIS Server: grs-whois.hichina.com
   Registrar URL: http://wanwang.aliyun.com
   Updated Date: 2023-06-27T02:10:51Z
   Creation Date: 2023-06-27T02:07:57Z
   Registry Expiry Date: 2024-06-27T02:07:57Z
   Registrar: Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn)
   Registrar IANA ID: 1599
   Registrar Abuse Contact Email: DomainAbuse@service.aliyun.com
   Registrar Abuse Contact Phone: +86.95187
   Domain Status: ok https://icann.org/epp#ok
   Name Server: DNS23.HICHINA.COM
   Name Server: DNS24.HICHINA.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-11-28T14:47:52Z <<<

secshow.net and secshow.online DNS traffic happening for us too, public IP to Public IP. The URLs not matching with typical syntax for DNS tunnelling so I don't think that's what's happening. One domain owned by alibaba.

Ever since the upgrade in October to 10.1.11 this has been happening - did not see any patch notes about this or DNS. Many changes though in this release.

Upgrading to 10.2.7 soon and wondering if this will fix it. 

@JayGolf  - if palo has any updates or communications for their customers about this it would be great. Seems like a widespread issue that hasn't been communicated. Given that this is setting off security alerts some sort of note would be great that Palo is at least aware if this is a bug and is working on a fix.

Hi, @jasonwald and @JayGolf we are having similar looking issue. Is there any progress finding out where such traffic is coming from?

I'm not a Palo Alto user, but I've been receiving this traffic for several months. It appears to be someone spoofing an adjacent source address while making DNS queries to every IPv4 address, and checking which IPs end up forwarding the query to a recursive resolver. Presumably the goal is to find open resolvers for DNS amplification attacks or similar. The hex string in the secshow.net DNS name corresponds with the IP address being spoofed, and I've been messing with their results by making DNS queries for random IPs whenever the spoofer is active. It appears to be working, as they've ramped up the frequency of scans, and made some modifications to the hostname format. Hopefully they'll give up soon.

I haven't received any traffic for secshow.online, interestingly.

This seems to be going strong again within the last few days. Super annoying. Would love to get some more info on this.

threatid: Tunneling:secshow.net(109001001)

I can confirm that it seems to be back.  In addition to secshow.net, there's also now a "savme.xyz" producing the same type of traffic.  Someone did a write-up on it here: https://dataplane.substack.com/p/destination-adjacent-source-address