[nycbug-talk] dns abuse
dan at langille.org
Tue Jan 20 16:35:10 EST 2009
On Jan 20, 2009, at 3:39 PM, Steven Kreuzer wrote:
> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:
>> Hi all,
>> saw a huge spike in root zone ns queries on my servers starting this
>> friday 16th
>> Heres a sample log:
>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>> some machines query as often as 20-30 times a minute. No idea why
>> would be happening, doesnt look like legitimate traffic to me..
>> Is anyone else experiencing this?
>> If you're having same issue, you can do this in pf to throttle it a
>> pass in quick on $ext inet proto udp from any to <server> port 53
>> state (max-src-states 1)
> Your DNS servers are/were being used for a DoS attack against
> 18.104.22.168 and 22.214.171.124
Thank you for posting that.
At that article is a link to http://isc1.sans.org/dnstest.html which "
a DNS server to make sure that it does not respond to the standard NS
requests for the root zone."
More information about the talk