Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
Dan Mahoney
google at gushi.org
Fri Jul 30 18:50:42 UTC 2004
I'm presently dealing with a DNS server that's under attack, and is
being made to spew out DNS responses all over the internet, hundreds,
maybe thousands a second.
I cannot trace the source IP to log it or ban it because it's
obviously forged, and there's enough DNS traffic on the wire that it's
suitably masked.
I'd like to know if I can just somehow set bind to DROP all queries
for the domain in question. No response, no nothing, just silently
ignore them. It won't make the attack stop, but at least it'll stop
me from being used as a reflector.
These domains don't even exist. I thought about redirecting an NS
record for these subdomains elsewhere, but it wouldn't really matter
since I think the attack is ignoring true DNS.
Here's a quick log:
Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spasm.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
spaz.elephaunt.org IN A
Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
spasm.elephaunt.org IN A
Replies to this address are appreciated, although I will of course
check the group. danm at ezzi dot net is also useful.
More information about the bind-users
mailing list