Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.

Sten Carlsen ccc2716 at vip.cybercity.dk
Thu Aug 5 18:09:41 UTC 2004



Dan Mahoney, System Admin wrote:

> On Thu, 5 Aug 2004, Sten Carlsen wrote:
>
>> Hi
>>
>> How about making a local zone for which you are authorative and 
>> return "no A record present". At least it will stop any recursive 
>> lookups.
>
>
> I (or the customer, actually) *am* authoritative for elephaunt.org. 
> These are not recursive lookups.  But I'm sure this is setting off 
> firewall logs at all the spoofed hosts, no matter what I return.
>
> That's why I wanted the "silent ignore" option.  You can do it per IP, 
> but not per zone.
>
> -Dan
>
Ok, then I guess you just have to serve out answers, I doubt you could 
determine which question is "real" and which is "noise".

>>
>>
>> Dan Mahoney wrote:
>>
>>> I'm presently dealing with a DNS server that's under attack, and is
>>> being made to spew out DNS responses all over the internet, hundreds,
>>> maybe thousands a second.
>>>
>>> I cannot trace the source IP to log it or ban it because it's
>>> obviously forged, and there's enough DNS traffic on the wire that it's
>>> suitably masked.
>>>
>>> I'd like to know if I can just somehow set bind to DROP all queries
>>> for the domain in question.  No response, no nothing, just silently
>>> ignore them.  It won't make the attack stop, but at least it'll stop
>>> me from being used as a reflector.
>>>
>>> These domains don't even exist.  I thought about redirecting an NS
>>> record for these subdomains elsewhere, but it wouldn't really matter
>>> since I think the attack is ignoring true DNS.
>>>
>>> Here's a quick log:
>>>
>>> Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spasm.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
>>> spaz.elephaunt.org IN A
>>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>> spasm.elephaunt.org IN A
>>>
>>> Replies to this address are appreciated, although I will of course
>>> check the group.  danm at ezzi dot net is also useful.
>>>
>>>
>>
>>
>
> -- 
>
> "We need another cat.  This one's retarded."
>
> -Cali, March 8, 2003 (3:43 AM)
>
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.



More information about the bind-users mailing list