outgoing-traffic
Ejaz
mejaz at cyberia.net.sa
Wed Jul 27 13:44:52 UTC 2016
Really I appreciate sparing such long time to trace out the problem and sending such detail email.
Is there any other security measure from the DNS level to control such attacks. Instead of blocking IP which is either from my linux machine or from my network side.
Such as, if someone is sending ANY request , by default it should be denied when users requests for it..
Ejaz
-----Original Message-----
From: S Carr [mailto:sjcarr at gmail.com]
Sent: Wednesday, July 27, 2016 4:19 PM
To: Ejaz <mejaz at cyberia.net.sa>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: outgoing-traffic
On 27 July 2016 at 13:33, Ejaz <mejaz at cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.
So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for cpsc.gov
No responses I can see are going from port 0, they are coming in on 53 and BIND is responding on a random high port
The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for reverse lookups and .99 shows that it is supposedly the system mail.electro.com.sa (though the forward lookup does not map to the same as the reverse).
It also looks like you are providing a recursive DNS service for these IP addresses, in frame 118047 you respond to the client with an NXDOMAIN response as the query they asked has a random "\r" on it. Are you meant to be providing recursive DNS for these clients? The random "\r" looks to me like something has been scripted (albeit poorly) to run against your systems.
As this is probably one of your customers have you tried contacting them to find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected by some malware that's generating DNS noise/attacks.
You could look at putting iptables on your Linux box to provide another layer of filtering and block the requests locally, or ask your network team to block those IPs, then wait for the customer to shout.
More information about the bind-users
mailing list