possible dos on dns attack ??? (tinydns)

Piotrek bombel1 at tenbit.pl
Thu May 12 10:56:20 UTC 2005 

Hi everyone,
lately I experience huge traffic on my server's NIC. I use debian, tinydns,
dnscache. There are only 3 domains in my dns, address 10.0.0.2 is the
address of my firewall. Here is the output from iptraf: (just small part):
hu May  5 12:21:19 2005; UDP; eth0; 56 bytes; from 10.0.0.2:11803 to
200.130.31.5:domain
Thu May  5 12:21:19 2005; UDP; eth0; 65 bytes; from 10.0.0.2:27725 to
192.36.148.17:domain
Thu May  5 12:21:19 2005; UDP; eth0; 253 bytes; from 192.5.6.30:domain to
10.0.0.2:5178
Thu May  5 12:21:19 2005; ICMP; eth0; 281 bytes; from 10.0.0.2 to
192.5.6.30; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 393 bytes; from 192.42.93.32:domain to
10.0.0.2:56754
Thu May  5 12:21:19 2005; ICMP; eth0; 421 bytes; from 10.0.0.2 to
192.42.93.32; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 68 bytes; from 10.0.0.2:38077 to
128.8.10.90:domain
Thu May  5 12:21:19 2005; UDP; eth0; 79 bytes; from 10.0.0.2:24607 to
217.23.130.99:domain
Thu May  5 12:21:19 2005; UDP; eth0; 66 bytes; from 10.0.0.2:27192 to
198.32.64.12:domain
Thu May  5 12:21:19 2005; UDP; eth0; 368 bytes; from 202.12.27.33:domain to
10.0.0.2:36755
Thu May  5 12:21:19 2005; ICMP; eth0; 396 bytes; from 10.0.0.2 to
202.12.27.33; dest unrch (port)
Thu May  5 12:21:19 2005; TCP; eth0; 48 bytes; from 82.225.15.43:4816 to
10.0.0.2:smtp; first packet (SYN)
Thu May  5 12:21:19 2005; TCP; eth0; 48 bytes; from 10.0.0.2:smtp to
82.225.15.43:4816; first packet (SYN)
Thu May  5 12:21:19 2005; UDP; eth0; 260 bytes; from 200.160.0.10:domain to
10.0.0.2:24490
Thu May  5 12:21:19 2005; ICMP; eth0; 288 bytes; from 10.0.0.2 to
200.160.0.10; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 413 bytes; from 209.204.159.28:domain
to 10.0.0.2:48099
Thu May  5 12:21:19 2005; ICMP; eth0; 441 bytes; from 10.0.0.2 to
209.204.159.28; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 56 bytes; from 10.0.0.2:45747 to
204.152.184.64:domain
Thu May  5 12:21:19 2005; UDP; eth0; 72 bytes; from 10.0.0.2:39949 to
192.228.79.201:domain
Thu May  5 12:21:19 2005; UDP; eth0; 81 bytes; from 10.0.0.2:16640 to
212.227.123.45:domain
Thu May  5 12:21:19 2005; UDP; eth0; 72 bytes; from 10.0.0.2:46050 to
192.228.79.201:domain
Thu May  5 12:21:19 2005; UDP; eth0; 81 bytes; from 10.0.0.2:58434 to
212.227.123.45:domain
Thu May  5 12:21:19 2005; UDP; eth0; 145 bytes; from 128.9.0.107:domain to
10.0.0.2:34557
Thu May  5 12:21:19 2005; ICMP; eth0; 173 bytes; from 10.0.0.2 to
128.9.0.107; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 71 bytes; from 10.0.0.2:34043 to
202.12.29.59:domain
Thu May  5 12:21:19 2005; UDP; eth0; 417 bytes; from 194.158.102.15:domain
to 10.0.0.2:31656
Thu May  5 12:21:19 2005; ICMP; eth0; 445 bytes; from 10.0.0.2 to
194.158.102.15; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 145 bytes; from 193.0.14.129:domain to
10.0.0.2:6787
Thu May  5 12:21:19 2005; ICMP; eth0; 173 bytes; from 10.0.0.2 to
193.0.14.129; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 61 bytes; from 10.0.0.2:64406 to
192.5.6.32:domain
Thu May  5 12:21:19 2005; UDP; eth0; 60 bytes; from 10.0.0.2:8813 to
192.5.6.32:domain
Thu May  5 12:21:19 2005; UDP; eth0; 80 bytes; from 10.0.0.2:34112 to
203.81.36.6:domain
Thu May  5 12:21:19 2005; UDP; eth0; 56 bytes; from 10.0.0.2:49414 to
198.41.0.4:domain
Thu May  5 12:21:19 2005; UDP; eth0; 71 bytes; from 10.0.0.2:14511 to
69.25.34.195:domain
Thu May  5 12:21:19 2005; UDP; eth0; 540 bytes; from 192.36.148.17:domain to
10.0.0.2:34330
Thu May  5 12:21:19 2005; ICMP; eth0; 568 bytes; from 10.0.0.2 to
192.36.148.17; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 181 bytes; from 192.134.0.49:domain to
10.0.0.2:14195
Thu May  5 12:21:19 2005; ICMP; eth0; 209 bytes; from 10.0.0.2 to
192.134.0.49; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 415 bytes; from 213.178.208.246:domain
to 10.0.0.2:32310
Thu May  5 12:21:19 2005; ICMP; eth0; 443 bytes; from 10.0.0.2 to
213.178.208.246; dest unrch (port)
Thu May  5 12:21:19 2005; UDP; eth0; 393 bytes; from 192.5.6.32:domain to
10.0.0.2:21773
Thu May  5 12:21:19 2005; ICMP; eth0; 421 bytes; from 10.0.0.2 to
192.5.6.32; dest unrch (port)

Thanks in advance for any help.

More information about the bind-users mailing list