What is the meaning of unusual subdomains like ip45-126062?

My security events log has 200+ daily entries that appear to target a host name that literally begins IP45-126062, or IP46-126062, or network-126062. For example, network-126026.example.com`

What is the source of those subdomain names. We do not have, and have never had, any subdomains with such names. The subdomain always contains 126062 on these attacks and we have no idea where the hackers got that number either.

We are not terribly concerned, since we have no such subdomains; but should we be concerned? Am I misunderstanding the Security Events data?

Do you have a wildcard * subdomain DNS record?

1 Like

Yes, we do have a * wildcard subdomain.

That’s why then. People or bots are, or have, tried “random” subdomains for your domain and due to the wildcard they will resolve.

2 Likes

Thanks sjr, that makes sense. I’m surprised that number of the last few weeks has always been 126062, but I assume that implies the same hacker pretending or actually coming from different countries around the world. Is it a security risk to have a wildcard domain? The hacker could just use www if they don’t want to use the ones they made up (at least in our case).

It might not be a hacker, just some kind of internet surveying bot. (I check for wildcards here by using a randomly generated subdomain).

It’s not a security risk directly, but I would say unless you have a specific reason for a wildcard (like a huge number of subdomains or some service you offer a large number of customers with unique subdomains) then better to specify subdomains directly so you can see what services you actually have active, or think you have active, on your domain. Helps cut down noise in logs as well, as you have found.

Some scanners try lots of common or random domains so if those all resolve and point to your origin it can also increase origin load.

Some people just use a wildcard as they are too lazy to specify the subdomains individually or as CNAMEs if they all point to the same server.

1 Like

Thanks sjr, for the helpful information!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.