Botnet Malware issue on bind BIND 9.7.1-P2
jagan padhi
jagan.padhi at gmail.com
Mon Dec 5 17:16:19 UTC 2011
Yes Michael,
First of all i would like to know what all these .*ws* domians.due to this
junk domain query CDNS servers load are getting very high.
Yes There is a limit set in my CDND server,however out of 100 query 60
queries are coming for these junk domains.
I am running with BIND 9.7.1-P2 and all of my servers are effected with the
same problem for last one week.
what could be the reason and work around/permenant solution for the same.
Thanks for your response.
Regards,
Jagan
On Mon, Dec 5, 2011 at 10:24 PM, Michael Graff <mgraff at isc.org> wrote:
> I see many valid IP addresses in your list. But that said, are the
> responses going back "large" individually, or is it the number of them that
> is "large"?
>
> If you think this is attempting to crash the server with a single large
> answer, that's different than if your server is getting a lot of queries
> from others, where the number of them is large.
>
> Is your server crashing due to these queries?
>
> Are these clients ones you intend to provide service to? If not, can you
> limit access to your server to only those clients you intend to provide
> service for?
>
> --Michael
>
>
> On Dec 5, 2011, at 10:42 AM, jagan padhi wrote:
>
> Hi,
>>
>
>
>
>> There are huge request are coming frm the valid ip with .ws domain which
>> are not exist and causes degrade the server performance.
>>
>
>
>>
>> Thanks,
>> Jagan
>>
>> www3.cbox.ws.barnasinternational.com. (65)
>> 14:24:41.223958 IP 211.164.230.208.17125 > 103.145.184.40.domain: 64+ A?
>> mlvabdz.ws. (28)
>> 14:24:41.300652 IP 61.246.253.55.44111 > 208.73.210.76.domain: 47143
>> [1au] A? xoguzsdl.ws. (40)
>> 14:24:41.338215 IP 211.178.172.128.fpitp > 103.145.184.32.domain: 20686+
>> A? ppckbydtbr.ws. (31)
>> 14:24:41.342505 IP 61.246.253.53.7628 > 208.73.210.76.domain: 28787
>> [1au] A? lodqbvd.ws. (39)
>> 14:24:41.346545 IP 211.178.164.175.23186 > 103.145.184.32.domain: 2298+
>> A? jdzojm.ws. (27)
>> 14:24:41.350427 IP 211.164.232.28.1028 > 103.145.184.32.domain: 52540+
>> A? ujtkmid.ws. (28)
>> 14:24:41.518083 IP 211.174.99.37.10290 > 103.145.184.40.domain: 17039+
>> A? phkaxt.ws. (27)
>> 14:24:41.597469 IP 61.246.253.53.53556 > 208.73.210.76.domain: 5848
>> [1au] A? jdzojm.ws. (38)
>> 14:24:41.608805 IP 61.246.253.55.gbs-stp > 208.73.210.76.domain: 60602
>> [1au] A? rvoykpdvuw.ws. (42)
>> 14:24:41.613744 IP 211.174.93.126.10443 > 103.145.184.32.domain: 57+ A?
>> yphpeqeq.ws. (29)
>> 14:24:41.647610 IP 211.174.158.140.20813 > 103.145.184.32.domain: 119+
>> A? qhfibjvct.ws. (30)
>> 14:24:41.648165 IP 211.174.158.140.20814 > 103.145.184.40.domain: 119+
>> A? qhfibjvct.ws. (30)
>> 14:24:41.649318 IP 211.174.158.140.20813 > 103.145.184.32.domain: 120+
>> A? aplsmxcne.ws. (30)
>> 14:24:41.650589 IP 211.174.158.140.20814 > 103.145.184.40.domain: 120+
>> A? aplsmxcne.ws. (30)
>> 14:24:41.651435 IP 211.174.69.219.fpitp > 103.145.184.32.domain: 18969+
>> A? xoguzsdl.ws. (29)
>> 14:24:41.802136 IP 211.174.110.194.mcp-port > 103.145.184.32.domain:
>> 63099+ A? ujtkmid.ws. (28)
>> 14:24:41.828624 IP 211.174.77.240.12803 > 103.145.184.32.domain: 42241+
>> A? ujtkmid.ws. (28)
>> 14:24:41.896891 IP 211.174.96.42.10349 > 103.145.184.32.domain: 10320+
>> A? rvoykpdvuw.ws.HUL-RS.COM <http://rvoykpdvuw.ws.hul-rs.com/>. (42)
>> 14:24:41.951168 IP 211.174.76.161.directv-tick > 103.145.184.32.domain:
>> 51760+ A? jdzojm.ws. (27)
>> 14:24:41.978719 IP 61.246.253.51.60690 > 208.73.210.76.domain: 22757 A?
>> ppckbydtbr.ws. (31)
>> 14:24:41.992364 IP 211.178.145.35.18834 > 103.145.184.40.domain: 102+ A?
>> bfrdqsraipi.ws. (32)
>> 14:24:41.995598 IP 211.164.42.255.iad1 > 103.145.184.32.domain: 62681+
>> A? mdbyqndydim.ws. (32)
>> 14:24:41.998899 IP 211.164.42.255.1028 > 103.145.184.32.domain: 49093+
>> A? xopcz.ws. (26)
>> 14:24:41.999731 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A?
>> plzpbuzykzi.ws. (32)
>> 14:24:42.063680 IP 211.164.24.202.traversal > 103.145.184.32.domain:
>> 29788+ A? mlvabdz.ws. (28)
>> 14:24:42.080591 IP 211.178.149.74.26153 > 103.145.184.40.domain: 94+ A?
>> plzpbuzykzi.ws. (32)
>> 14:24:42.081309 IP 211.178.149.74.26152 > 103.145.184.32.domain: 94+ A?
>> plzpbuzykzi.ws. (32)
>> 14:24:42.083018 IP 211.178.149.74.26153 > 103.145.184.40.domain: 95+ A?
>> ofqliyah.ws. (29)
>> 14:24:42.084333 IP 211.178.149.74.26152 > 103.145.184.32.domain: 95+ A?
>> ofqliyah.ws. (29)
>> 14:24:42.212815 IP 211.164.230.208.17132 > 103.145.184.40.domain: 73+ A?
>> mlvabdz.ws. (28)
>> 14:24:42.213857 IP 211.164.230.208.17133 > 103.145.184.32.domain: 73+ A?
>> mlvabdz.ws. (28)
>> 14:24:42.254075 IP 211.178.182.51.17331 > 103.145.184.32.domain: 31124+
>> A? xopcz.ws. (26)
>> 14:24:42.257642 IP 211.174.43.2.21902 > 103.145.184.32.domain: 22199+ A?
>> vqdqp.ws. (26)
>> 14:24:42.257967 IP 61.246.253.53.62271 > 208.73.210.76.domain: 10273 A?
>> xoguzsdl.ws. (29)
>> 14:24:42.259110 IP 211.174.43.2.21919 > 103.145.184.32.domain: 22704+ A?
>> kuatmftlz.ws. (30)
>> 14:24:42.360653 IP 211.165.222.201.av-emb-config >
>> 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27)
>> 14:24:42.376847 IP 211.174.36.28.danf-ak2 > 103.145.184.32.domain:
>> 18594+ A? xopcz.ws. (26)
>> 14:24:42.389801 IP 211.164.230.208.17132 > 103.145.184.40.domain: 75+ A?
>> mlvabdz.ws.DOMAIN. (35)
>> 14:24:42.390902 IP 211.164.230.208.17133 > 103.145.184.32.domain: 75+ A?
>> mlvabdz.ws.DOMAIN. (35)
>> 14:24:42.392527 IP 61.246.253.51.36056 > 192.36.148.17.domain: 18602
>> [1au] A? mlvabdz.ws.DOMAIN. (46)
>> 14:24:42.393726 IP 61.246.253.55.43598 > 192.33.4.12.domain: 42970 [1au]
>> A? mlvabdz.ws.DOMAIN. (46)
>> 14:24:42.398797 IP 61.246.253.51.30802 > 208.73.210.76.domain: 1409 A?
>> kuatmftlz.ws. (30)
>> 14:24:42.424327 IP 211.165.57.59.10944 > 103.145.184.32.domain: 4917+ A?
>> ymkvpdpwls.ws. (31)
>> 14:24:42.432527 IP 211.174.74.193.4668 > 103.145.184.32.domain: 35472+
>> A? vqdqp.ws. (26)
>> 14:24:42.434196 IP 61.246.253.53.6805 > 208.73.210.76.domain: 17224
>> [1au] A? aplsmxcne.ws. (41)
>> 14:24:42.484865 IP 61.246.253.55.27520 > 208.73.210.76.domain: 51875 A?
>> ymkvpdpwls.ws. (31)
>> 14:24:42.512574 IP 61.246.253.53.36451 > 208.73.210.76.domain: 5405 A?
>> wlxmyclyaht.ws. (32)
>> 14:24:42.589319 IP 61.246.253.51.34837 > 208.73.210.76.domain: 34857
>> [1au] A? qpuhhohm.ws. (40)
>> 14:24:42.599949 IP 61.246.253.51.28712 > 208.73.210.76.domain: 62962
>> [1au] A? etvmtyf.ws. (39)
>> 14:24:42.603904 IP 211.174.93.126.10452 > 103.145.184.32.domain: 64+ A?
>> rvoykpdvuw.ws. (31)
>> 14:24:42.609177 IP 211.165.218.206.14730 > 103.145.184.32.domain: 33533+
>> A? tmwijxdp.ws. (29)
>> 14:24:42.673250 IP 211.164.212.189.55838 > 103.145.184.32.domain: 49878+
>> AAAA? www.cbox.ws. (29)
>> 14:24:42.743605 IP 61.246.253.53.25801 > 208.73.210.76.domain: 56882 A?
>> feyfj.ws. (26)
>> 14:24:42.744744 IP 61.246.253.51.31298 > 208.73.210.76.domain: 34332 A?
>> mdbyqndydim.ws. (32)
>> 14:24:42.813185 IP 211.164.19.173.21518 > 103.145.184.40.domain: 13+ A?
>> vqdqp.ws. (26)
>> 14:24:42.884638 IP 211.164.26.57.28259 > 103.145.184.32.domain: 63377+
>> A? www.funny-games.ws. (36)
>> 14:24:42.923262 IP 211.174.110.194.3828 > 103.145.184.32.domain: 64214+
>> A? mdbyqndydim.ws. (32)
>> 14:24:42.925213 IP 61.246.253.55.55735 > 208.73.210.76.domain: 37051
>> [1au] A? mdbyqndydim.ws. (43)
>> 14:24:42.934709 IP 61.246.253.55.23021 > 208.73.210.76.domain: 40765
>> [1au] A? mntqpfyirzi.ws. (43)
>> 14:24:42.938709 IP 211.178.17.37.19290 > 103.145.184.40.domain: 107+ A?
>> kkzkaiga.ws. (29)
>> 14:24:42.943065 IP 61.246.253.51.42664 > 208.73.210.76.domain: 17629
>> [1au] A? ofqliyah.ws. (40)
>> 14:24:42.951063 IP 211.174.76.161.directv-tick > 103.145.184.32.domain:
>> 51760+ A? jdzojm.ws. (27)
>> 14:24:42.996052 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A?
>> plzpbuzykzi.ws. (32)
>> 14:24:42.995365 IP 211.164.42.255.iad1 > 103.145.184.32.domain: 62681+
>> A? mdbyqndydim.ws. (32)
>> 14:24:42.997370 IP 211.174.98.2.finisar > 103.145.184.32.domain: 27527+
>> A? fmwhaasofkl.ws. (32)
>> 14:24:42.999262 IP 211.164.42.255.1028 > 103.145.184.32.domain: 49093+
>> A? xopcz.ws. (26)
>> 14:24:43.009556 IP 211.165.223.62.solid-mux > 103.145.184.32.domain:
>> 56200+ A? ymkvpdpwls.ws. (31)
>> 14:24:43.011237 IP 61.246.253.51.29769 > 208.73.210.76.domain: 38822
>> [1au] A? ymkvpdpwls.ws. (42)
>> 14:24:43.182372 IP 211.174.115.35.53165 > 103.145.184.32.domain: 4217+
>> A? vqdqp.ws. (26)
>> 14:24:43.193921 IP 211.164.186.236.13354 > 103.145.184.32.domain: 42474+
>> A? vqdqp.ws. (26)
>> 14:24:43.246211 IP 211.164.166.146.lofr-lm > 103.145.184.32.domain:
>> 26238+ A? wddfrxg.ws. (28)
>> 14:24:43.339091 IP 61.246.253.51.48097 > 208.73.210.76.domain: 44091
>> [1au] A? ppckbydtbr.ws. (42)
>> 14:24:43.546815 IP 211.165.69.29.62611 > 103.145.184.32.domain: 58185+
>> A? ofqliyah.ws. (29)
>> 14:24:43.549997 IP 211.165.69.29.62611 > 103.145.184.32.domain: 48149+
>> A? tmwijxdp.ws. (29)
>> 14:24:43.602986 IP 211.174.93.126.10452 > 103.145.184.32.domain: 66+ A?
>> rvoykpdvuw.ws. (31)
>> 14:24:43.606440 IP 211.174.93.126.10452 > 103.145.184.32.domain: 67+ A?
>> yphpeqeq.ws. (29)
>> 14:24:43.654195 IP 211.174.69.219.fpitp > 103.145.184.32.domain: 18969+
>> A? xoguzsdl.ws. (29)
>> 14:24:43.746537 IP 61.246.253.51.13075 > 208.73.210.76.domain: 11447
>> [1au] A? yphpeqeq.ws. (40)
>> 14:24:43.758846 IP 211.174.11.119.61529 > 103.145.184.32.domain: 41419+
>> A? www.ppmi.ws. (29)
>> 14:24:43.803248 IP 211.174.110.194.mcp-port > 103.145.184.32.domain:
>> 63099+ A? ujtkmid.ws. (28)
>> 14:24:43.920999 IP 211.174.110.194.3828 > 103.145.184.32.domain: 64214+
>> A? mdbyqndydim.ws. (32)
>> 14:24:43.934230 IP 211.164.159.34.dmidi > 103.145.184.32.domain: 44380+
>> A? etvmtyf.ws. (28)
>> 14:24:43.935805 IP 61.246.253.53.52183 > 208.73.210.76.domain: 52674
>> [1au] A? etvmtyf.ws. (39)
>> 14:24:43.993927 IP 61.246.253.51.14041 > 208.73.210.76.domain: 9095
>> [1au] A? bfrdqsraipi.ws. (43)
>> 14:24:43.995418 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A?
>> plzpbuzykzi.ws. (32)
>> 14:24:43.996722 IP 211.174.98.2.finisar > 103.145.184.32.domain: 27527+
>> A? fmwhaasofkl.ws. (32)
>> 14:24:44.001139 IP 211.165.223.62.solid-mux > 103.145.184.32.domain:
>> 56200+ A? ymkvpdpwls.ws. (31)
>> 14:24:44.090254 IP 61.246.253.51.5737 > 208.73.210.76.domain: 20944
>> [1au] A? tnfabezpbwh.ws. (43)
>> 14:24:44.167332 IP 211.174.74.193.4669 > 103.145.184.32.domain: 6300+ A?
>> ujtkmid.ws. (28)
>> 14:24:44.168079 IP 211.174.74.193.4669 > 103.145.184.40.domain: 6300+ A?
>> ujtkmid.ws. (28)
>> 14:24:44.230372 IP 211.174.152.165.metasage > 103.145.184.32.domain:
>> 44055+ A? fmwhaasofkl.ws. (32)
>> 14:24:44.312821 IP 211.165.22.10.codima-rtp > 103.145.184.32.domain:
>> 49875+ A? sjvarwo.ws. (28)
>> 14:24:44.315393 IP 61.246.253.51.43249 > 64.70.19.80.domain: 62132 [1au]
>> A? sjvarwo.ws. (39)
>> 14:24:44.317895 IP 211.164.155.114.mxxrlogin > 103.145.184.32.domain:
>> 21787+ A? lodqbvd.ws. (28)
>> 14:24:44.323124 IP 61.246.253.55.26832 > 64.70.19.70.domain: 16161 [1au]
>> A? tijkdbyg.ws. (40)
>> On Fri, May 27, 2011 at 6:56 PM, Larissa Shapiro <larissas at isc.org>wrote:
>>
>>> **
>>> Change: BIND 9.4-ESV-R4-P1 is now available.
>>>
>>> Title: Large RRSIG RRsets and Negative Caching can crash named.
>>>
>>> Summary: A BIND 9 DNS server set up to be a caching resolver is
>>> vulnerable to a user querying a domain with very large resource record
>>> sets (RRSets) when trying to negatively cache a response. This can cause
>>> the BIND 9 DNS server (named process) to crash.
>>>
>>> Document ID: CVE-2011-1910
>>>
>>> Posting date: 26 May 2011
>>>
>>> Program Impacted: BIND
>>>
>>> Versions affected: 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3,
>>> 9.7.1 and later, 9.8.0 and later
>>>
>>> Severity: High
>>>
>>> Exploitable: Remotely
>>>
>>> CVSS Score: Base 7.8
>>>
>>> (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>>>
>>> For more information on the Common Vulnerability Scoring System and to
>>> obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
>>>
>>> Description:
>>>
>>> DNS systems use negative caching to improve DNS response time. This will
>>> keep a DNS resolver from repeatedly looking up domains that do not
>>> exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the
>>> negative cache.
>>>
>>> The authority data will be cached along with the negative cache
>>> information. These authoritative “Start of Authority” (SOA) and
>>> NSEC/NSEC3 records prove the nonexistence of the requested name/type. In
>>> DNSSEC, all of these records are signed; this adds one additional RRSIG
>>> record, per DNSSEC key, for each record returned in the authority
>>> section of the response.
>>>
>>> In this vulnerability, very large RRSIG RRsets included in a negative
>>> cache can trigger an assertion failure that will crash named (BIND 9
>>> DNS) due to an off-by-one error in a buffer size check.
>>>
>>> The nature of this vulnerability would allow remote exploit. An attacker
>>> can set up an DNSSEC signed authoritative DNS server with a large RRSIG
>>> RRsets to act as the trigger. The attacker would then find ways to query
>>> an organization’s caching resolvers, using the negative caches and the
>>> “trigger” the vulnerability. The attacker would require access to an
>>> organization’s caching resolvers. Access to the resolvers can be direct
>>> (open resolvers), through malware (using a BOTNET to query negative
>>> caches), or through driving DNS resolution (a SPAM run that has a domain
>>> in the E-mail that will cause the client to do look up a negative cache).
>>>
>>> Workarounds: Restricting access to the DNS caching resolver
>>> infrastructure will provide partial mitigation. Active exploitation can
>>> be accomplished through malware or SPAM/Malvertizing actions that will
>>> force authorized clients to look up domains that would trigger this
>>> vulnerability.
>>>
>>> Solution:
>>>
>>> Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2ftp://ftp.isc.org/isc/bind9/9.8.0-P2ftp://ftp.isc.org/isc/bind9/9.7.3-P1ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4-P1ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4-P1
>>>
>>> Exploit Status: High. This issue has caused unintentional outages.
>>>
>>> US CERT is tracking this issue with INC000000152411.
>>>
>>> Credits:
>>>
>>> Thanks to Frank Kloeker and Michael Sinatra for getting the details to
>>> this issue to the DNS Operations community and to Michael Sinatra, Team
>>> Cmyru, and other community members for testing.
>>>
>>> Revision History: Added the 9.4-ESV-R4-P1 download. 2011-May-27
>>>
>>> Questions regarding this advisory should go to security-officer at isc.org.
>>> Questions on ISC's Support services or other offerings should be sent tosales at isc.org. More information on ISC's support and other offerings are
>>> available at: http://www.isc.org/community/blog/201102/BIND-support
>>>
>>> --
>>> Larissa Shapiro
>>> Internet Systems Consortium Product Manager
>>> Technology Leadership for the Common Good
>>> +1 650 423 1335www.isc.org
>>>
>>>
>>> _______________________________________________
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111205/de81acc1/attachment.html>
More information about the bind-users
mailing list