Fw: How to block DNS record scans ? (more info)
Gregory Hicks
ghicks at cadence.com
Mon Apr 25 23:45:01 UTC 2005
> From: "Sylvan Andrew" <sylvan_nids at norfolk.nf>
> To: <bind-users at isc.org>
> Subject: Fw: How to block DNS record scans ? (more info)
> Date: Tue, 26 Apr 2005 10:14:49 +1130
>
> Hello,
>
> Wow ! Thanks so much to all the people who responded and passed on some
> great ideas.
>
> Unfortunately we can't block by source address of the DNS request because
> they are using legit open DNS servers to do the requests. For nearly every
> DNS request they seem to use a different source IP. Regardless of source IP
> the requests follow a logical alphabetical order. I estimated they are using
> a pool of more than 20 plus DNS servers.
Sylvan:
How were you able to identify this? What does your logging section
look like?
The reason I ask is because I am not able to see anything like this...
(Of course, it may have happened so long ago that the logs rotated
off...)
Regards,
Gregory Hicks
>
> One suggestion from Stephan was:
>
> > As a first step... agreed.
> > But that shouldn't be the final solutions as he will be always one step
> > behind a possible attacker. I would strongly suggest an intelligent IDS /
> > IPS which recognizes such attacks and blocks them dynamically
>
> Has anybody had any successful experiences with this ?
>
> I don't know much about Bind but it seems a shame that it hasn't got a
> 'don't bother replying to wanker requests' switch built in.
>
> Any other ideas or a way to achieve this are much appreciated.
>
> Thanks
>
> Sylvan
>
>
>
> >Hello,
>
> >Is their anyone who could help us it would be much appreciated. Two of
> >our DNS servers are continually getting scanned with some type of script
> >that trys every combination possible from A-Z.
> > Rather than limit the amount of DNS requests our servers handle on a time
> > basis is there anyone who knows a way to modify the response to a entry
> > record not being found ?
> > Basically we'd want it so that if it was a valid entry bind would reply
> > straight away, if it was a invalid entry we'd like rather than a immediate
> > 'not found' response to modify it so it just times out.
> > Does anyone have and ideas where in Bind we could modify it to do this ?
> > Does anyone have any other ideas to combat this problem ?
>
> >Thanks for your time.
>
> >Regards
>
> >Sylvan
>
>
>
>
>
>
>
-------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
San Jose, CA 95134 | Internet: ghicks at cadence.com
I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.
"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
More information about the bind-users
mailing list