Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.

BOG junk at 1command.com
Sat Aug 7 05:46:53 UTC 2004 

Greetings Dan,
 What I would do is to turn up the verbosity of your log level - I know,
sounds crazy, as you're being flooded already. But, this will help you to
find the source(s) more accurately. Then you can simply add the offending
IP(s) to your "bogon" clause - you are using bogon, aren't you? I had a
similar problem on one of our domains. The attacks were dictionary attacks
aimed at retrieving valid email addresses. We were getting them at no less
than 1/ second - no less than. Anyhow, I was forced to *live* at the console
and retrieve the offending IP's. I would also grab the host/domain combinations
that initiated the attack (these were *not* the IP's they used to connect - see;
"bounce/ relay"). Anyway, I sent the host/domain(s) to: dig host/domain >
copy IP(s) > add to the "bogon", dig mx host/domain > copy/ add IP(s) to the
bogon, send a SIGHUP to named, and ended up with that many less attacks. Not
a terribly effecient approach (vey time consuming) but effective. At any rate
since then I have purchased another domain that I/ we will use specifically
for a public blocklist. After I finish the scripts needed to automate the
whole proccess, we'll announce it's availability. You may want to check your
other services (most notably your mailserver) to see what these attacks are
intended for. You might also want to check for a possible system compromise
eg; backdoor/ trojan. You might be the victim of something of this nature - 
just thought I'd mention it.

Best wishes,
 Chris


"Dan Mahoney, System Admin" <danm at prime.gushi.org> wrote in message news:<cetu3m$1bik$1 at sf1.isc.org>...
> On Thu, 5 Aug 2004, Sten Carlsen wrote:
> 
> > Hi
> >
> > How about making a local zone for which you are authorative and return "no A 
> > record present". At least it will stop any recursive lookups.
> 
> I (or the customer, actually) *am* authoritative for elephaunt.org. 
> These are not recursive lookups.  But I'm sure this is setting off 
> firewall logs at all the spoofed hosts, no matter what I return.
> 
> That's why I wanted the "silent ignore" option.  You can do it per IP, but 
> not per zone.
> 
> -Dan
> 
> >
> >
> > Dan Mahoney wrote:
> >
> >> I'm presently dealing with a DNS server that's under attack, and is
> >> being made to spew out DNS responses all over the internet, hundreds,
> >> maybe thousands a second.
> >> 
> >> I cannot trace the source IP to log it or ban it because it's
> >> obviously forged, and there's enough DNS traffic on the wire that it's
> >> suitably masked.
> >> 
> >> I'd like to know if I can just somehow set bind to DROP all queries
> >> for the domain in question.  No response, no nothing, just silently
> >> ignore them.  It won't make the attack stop, but at least it'll stop
> >> me from being used as a reflector.
> >> 
> >> These domains don't even exist.  I thought about redirecting an NS
> >> record for these subdomains elsewhere, but it wouldn't really matter
> >> since I think the attack is ignoring true DNS.
> >> 
> >> Here's a quick log:
> >> 
> >> Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spasm.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
> >> spaz.elephaunt.org IN A
> >> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >> spasm.elephaunt.org IN A
> >> 
> >> Replies to this address are appreciated, although I will of course
> >> check the group.  danm at ezzi dot net is also useful.
> >> 
> >> 
> >
> >
> 
> --
> 
> "We need another cat.  This one's retarded."
> 
> -Cali, March 8, 2003 (3:43 AM)
> 
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------

More information about the bind-users mailing list