This paper introduces a perplexing actor, Muddling Meerkat, who appears to be a People’s Republic of China (PRC) nation state actor. Muddling Meerkat conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers. Their operations intertwine with two topics tightly connected with China and Chinese actors: the Chinese Great Firewall (GFW) and Slow Drip, or random prefix, distributed denial-of-service (DDoS) attacks. While Muddling Meerkat’s operations look at first glance like DNS DDoS attacks, it seems unlikely that denial of service is their goal, at least in the near term. Muddling Meerkat operations are long-running – apparently starting in October 2019 – and demonstrate a high degree of expertise in DNS.
Renée Burton
Vice President of Threat Intel at Infoblox
Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.