Possible DOS Attack, but not sure.

Martin McCormick martin at dc.cis.okstate.edu
Wed Aug 2 14:08:32 UTC 2006 

	We have been running Bind9.3.1 with the usual great
results and had a very strange thing happen to both our master
and slave DNS's last night.

	We must have recursion on in our environment, but we do
not allow third-party recursion.

	Last night, we suddenly began receiving reports of
sporadic DNS performance and discovered that we were maxed out on
recursive clients as in 1000/1000.  This normally only happens
when we loose access to any root name servers but this time, all
but 2 root DNS's were accessible.

	The only unusual messages in named.log were the "no more
recursive clients" messages which poured out by the millions for
about 3 hours.

	The security log never showed anything but the usual
Microsoft hackfest of systems trying to update okstate.edu.

	We did detect packets from 2 addresses that were hitting
both the platforms at about 1,000 packets per second, but they
didn't show up in the logs as players in the mayhem.

	After killing those two addresses in the firewall, I
killed and restarted both servers and life returned to normal.

	In the past when we had this condition due to a broken
Internet connection, the problem resolved itself immediately when
connectivity returned.  This time, something was keeping it going
and we couldn't tell directly what was happening.

	I did see one strange message during that time in
named.log:

01-Aug-2006 23:18:17.924 dispatch 0x8cc7800: shutting down
due to TCP receive error: 64.12.51.132#53: connection reset

	There were only 4 of those out of several million lines
of mostly recursive client complaints.

	We also log any time an outsider tries to query for
another outsider.  There is normally a lot of that for some
reason, but the mix of addresses is all over the map so it didn't
look like one system was trying to generate lots of activity
although it might have been internal to our network and we
wouldn't have seen it.

	We can routinely serve over a million queries per hour so
query logging is normally off. Does this sound like anything that
is familiar to anybody?  Thanks for any information.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Network Operations Group

More information about the bind-users mailing list