Bind ANY ANY Query Denial of Service

Vinny Abello vinny at tellurian.com
Wed Aug 10 03:39:50 UTC 2005 

At 06:50 PM 8/9/2005, srv1054 at gmail.com wrote:
>We are a large national ISP and we have a number of BIND DNS Caching
>servers around the country for our customers.
>
>We've been victims of multiple Denial of Service attacks against our
>BIND DNS servers.  Now normally this isn't an issue because we do not
>allow Recursion for IP's we don't own, as well as we can make use of
>BIND's wonderful ability to blackhole IP #'s.
>
>The problem comes from this.   We have out to our customer base a huge
>number of CPE routers deployed that contain a bug which allows any IP
>to query the CPE router for DNS and it will simply just forward the
>request off to it's primary DNS server.  The CPE is not smart, and the
>way it's configured we can not disable the DNS settings, as well as it
>is a massive undertaking to upgrade all the CPE in the field (tens of
>thousands of them) to the latest patch in any reasonable amount of
>time.
>
>The DoS attacks are targeted at our entire IP blocks, and because of
>the above mentioned bug, any of these CPE that happen to get hit will
>forward the DNS request to our caching servers.  So it appears we are
>being attacked by our own customer base.   When this happens we get
>thousands of queries from thousands of our own IP's that are all
>querying for  ANY ANY.
>
>To my knowledge ANY ANY is not a valid query and BIND simply returns a
>list of ROOT servers.
>
>The problem now is that if we blackhole the IP's that this comes from,
>we are blocking our customers from using DNS and it's not even their
>fault.
>
>We've been around a million ways to solve this problem but we need a
>fast way to make BIND not respond to this type of query, until we can
>fix the greater problem which is patching all of the CPE to a version
>that does not allow DNS forwarding from external interfaces.  (ya
>pretty dumb)
>
>The simple solution from our stand point is to have BIND not respond to
>this type of query.  And rather, just ignore the ANY ANY query or
>blackhole it.   I've included a sample from the QUERY logs to show what
>we see when this happens.
>
>SHould it even be responding to ANY ANY queries?  That seems invalid,
>maybe this is a bug?
>
>Thousands and thousands of these from thousands of IP's:
>
>Aug  9 16:58:15 ns1.iad named[3718]: [ID 866145 local5.info] client
>209.125.200.66#53: query: . ANY ANY +
>Aug  9 15:58:14 ns1.ord named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>Aug  9 15:58:14 ns1.pdx named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>Aug  9 15:58:14 ns1.sjc named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>
>
>Any help or direction you could provide is much appreciated.

Assuming these attacks are originating outside of your network, can 
you simply block UDP/TCP 53 to you're customers CPE's? This will only 
break their resolution if the query is being sourced from 53 which it 
likely isn't. Just a suggestion...

Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of 
fear" -- Mark Twain

More information about the bind-users mailing list