New type of DDoS? Anyone saw it?

Marek Królikowski admin at wset.edu.pl
Mon May 16 19:20:17 UTC 2016


Hello
I just call to one of the client who do this DDoS and he confirm, he use UBI
devices....
Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN
AAAA" with random AAA.XXX.YYY.ZZZ address?

Best Regards
Marek


-----Original Message-----
From: bert hubert [mailto:bert.hubert at netherlabs.nl] 
Sent: Monday, May 16, 2016 5:45 PM
To: Marek Królikowski <admin at wset.edu.pl>
Cc: bind-users at lists.isc.org
Subject: Re: New type of DDoS? Anyone saw it?

On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote:
> Today i saw my bind eat almost 90% of RAM when i check logs I find 
> interesting DDoS on my DNS Cluster today:
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 
> 323.016.231.212 IN AAAA + (8X.1X0.Y.Y)

This may be related to
http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-U
BNT/td-p/1562940
where there is talk of a Ubiquity exploit which is reported (elsewhere) to
generate such queries.

	Bert


> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 
> 235.326.031.064 IN AAAA + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 
> 331.206.372.214 IN AAAA + (8X.1X0.Y.Y)
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to
> 8X.1X0.33.0/24 for . IN AAAA  (00000000)
> 
> Looks like IN AAAA query about wrong IPv4 address... i got almost 
> 5000/sec Anyone saw this too?
> 
> Best Regards
> Marek
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list