denial of service attack 9.2.1

beaker abuse at loopback.localhost
Fri Oct 28 17:00:01 UTC 2005 

Hi,

We've been hit by a denial of service attack that was targeting our DNS 
server running Bind 9.2.1.  Once I stopped the named service, we got our 
bandwidth back.  I've since upgraded it to 9.2.5.  The log files are filling 
up quickly with these error messages since upgrading to 9.2.5, but are no 
longer having bandwidth issues.  I've contacted abuse departments of ISP's 
that have been flooding us with DNS requests and they are aware of an issue 
at their end.  Since then, the attacks have stopped.

Here's a SMALL snapshot from our log files:


Error messages from 9.2.1:
Oct 23 20:28:19 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:28:19 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:28:19 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:28:19 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:28:24 ottfw named[497]: client 66.252.3.6#138: error sending 
response: host unreachable
Oct 23 20:28:24 ottfw named[497]: client 66.252.3.6#138: error sending 
response: host unreachable
Oct 23 20:28:24 ottfw named[497]: client 66.252.3.6#138: error sending 
response: host unreachable
Oct 23 20:28:24 ottfw named[497]: client 66.252.3.6#138: error sending 
response: host unreachable
Oct 23 20:28:43 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:28:43 ottfw named[497]: client 66.252.3.6#139: error sending 
response: host unreachable
Oct 23 20:32:18 ottfw named[497]: client 66.252.3.6#445: error sending 
response: host unreachable
Oct 23 20:32:18 ottfw named[497]: client 66.252.3.6#445: error sending 
response: host unreachable
Oct 23 20:32:18 ottfw named[497]: client 66.252.3.6#445: error sending 
response: host unreachable
Oct 23 20:32:18 ottfw named[497]: client 66.252.3.6#445: error sending 
response: host unreachable
Oct 23 20:32:21 ottfw named[497]: client 66.252.3.6#135: error sending 
response: host unreachable
Oct 23 20:32:21 ottfw named[497]: client 66.252.3.6#135: error sending 
response: host unreachable
Oct 23 20:32:21 ottfw named[497]: client 66.252.3.6#135: error sending 
response: host unreachable
Oct 23 20:32:21 ottfw named[497]: client 66.252.3.6#135: error sending 
response: host unreachable
Oct 23 20:35:23 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable
Oct 23 20:35:23 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable
Oct 23 20:35:23 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable
Oct 23 20:35:23 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable
Oct 23 20:35:52 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable
Oct 23 20:35:52 ottfw named[497]: client 64.125.30.206#139: error sending 
response: host unreachable

Our firewall is configured to deny any outbound public internet destination 
ports listed above (windows 135, 139, 445, etc)


Error messages from 9.2.5 (tens of thousand of log entries here that are 
similar):
Oct 24 20:08:30 ottfw named[22221]: client 193.87.64.155#32559: query 
(cache) denied
Oct 24 20:08:30 ottfw named[22221]: client 193.87.64.155#23884: query 
(cache) denied
Oct 24 20:08:30 ottfw named[22221]: client 193.87.64.155#19265: query 
(cache) denied
Oct 24 20:08:31 ottfw named[22221]: client 193.87.64.155#27131: query 
(cache) denied
Oct 24 20:08:31 ottfw named[22221]: client 193.87.64.155#25037: query 
(cache) denied
Oct 24 20:08:31 ottfw named[22221]: client 193.87.64.155#2927: query (cache) 
denied
Oct 24 20:08:32 ottfw named[22221]: client 193.87.64.155#15753: query 
(cache) denied
Oct 24 20:08:32 ottfw named[22221]: client 193.87.64.155#27989: query 
(cache) denied
Oct 24 20:08:32 ottfw named[22221]: client 193.87.64.155#27763: query 
(cache) denied
Oct 24 20:08:33 ottfw named[22221]: client 193.87.64.155#6994: query (cache) 
denied
Oct 24 20:08:33 ottfw named[22221]: client 193.87.64.155#13240: query 
(cache) denied
Oct 24 20:08:33 ottfw named[22221]: client 193.87.64.155#4633: query (cache) 
denied

Looks like the hackers are trying to use the DNS server to spoof various 
ports.

Some TCPDUMP packet captures:

17:17:19.841260 69.31.198.253.60001 > 216.218.45.11.domain: 10367 [1au] PTR? 
205.212.160.69.in-addr.arpa. (56)
4500 0054 ca60 0000 2a11 b436 451f c6fd
d8da 2d0b ea61 0035 0040 a1b4 287f 0000
0001 0000 0000 0001 0332 3035 0332 3132
0331 3630 0236 3907 696e 2d61 6464 7204
6172 7061 0000 0c00 0100 0029 1000 0000
0000
17:17:20.006312 69.31.198.253.60001 > 216.218.45.11.domain: 1892 [1au] A? 
henna.ARIN.net. OPT UDPsize=4096 (43)
4500 0047 ca62 0000 2a11 b441 451f c6fd
d8da 2d0b ea61 0035 0033 724b 0764 0000
0001 0000 0000 0001 0568 656e 6e61 0441
5249 4e03 6e65 7400 0001 0001 0000 2910
0000 0000 0000 00
17:17:24.997960 69.31.198.253.60001 > 216.218.45.11.domain: 14683 [1au] A? 
69-160-212-205.clvdoh.adelphia.net. (63)
4500 005b ca65 0000 2a11 b42a 451f c6fd
d8da 2d0b ea61 0035 0047 5db9 395b 0000
0001 0000 0000 0001 0e36 392d 3136 302d
3231 322d 3230 3506 636c 7664 6f68 0861
6465 6c70 6869 6103 6e65 7400 0001 0001
0000
17:17:30.776928 69.31.198.253.60001 > 216.218.45.11.domain: 59873 [1au] 
AAAA? 247london.co.uk. OPT UDPsize=4096 (44)
4500 0048 ca6d 0000 2a11 b435 451f c6fd
d8da 2d0b ea61 0035 0034 7d63 e9e1 0000
0001 0000 0000 0001 0932 3437 6c6f 6e64
6f6e 0263 6f02 756b 0000 1c00 0100 0029
1000 0000 0000 0000

216.218.45.11 is the IP address that is being hit by these requests.

Anyone else experience this?  The attacks are targeting one of three 
firewalls.

Alex

More information about the bind-users mailing list