[nycbug-talk] dns abuse

Yarema yds at CoolRat.org
Wed Jan 21 11:48:04 EST 2009 

Steven Kreuzer wrote:
> On Jan 21, 2009, at 10:50 AM, Yarema wrote:
> 
>> Steven Kreuzer wrote:
>>> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:
>>>
>>>> Hi all,
>>>> saw a huge spike in root zone ns queries on my servers starting this
>>>> friday 16th
>>>> Heres a sample log:
>>>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
>>>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
>>>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>>>>
>>>> some machines query as often as 20-30 times a minute. No idea why  
>>>> this
>>>> would be happening, doesnt look like legitimate traffic to me..
>>>> Is anyone else experiencing this?
>>>>
>>>> If you're having same issue, you can do this in pf to throttle it a
>>>> bit:
>>>> pass in quick on $ext inet proto udp from any to <server> port 53  
>>>> keep
>>>> state (max-src-states 1)
>>>
>>> Your DNS servers are/were being used for a DoS attack against
>>> 76.9.31.42 and 69.50.142.110
>>>
>>> http://isc.sans.org/diary.html?storyid=5713
>> Steve, what makes you say that Max's DNS servers were used for a DDoS
>> attack against 76.9.31.42 and 69.50.142.110?  It seems to me like it's
>> the other way around..  But I haven't got my brain wrapped around this
>> one yet so I'm just looking to get enlightened on the matter.
> 
> Remember the good ol days (1998) when you would send a single ICMP  
> echo requestto the broadcast address of a network and hundreds of
> machines on the network would send back an echo reply.
> 
> If you changed the source address to address of some other host, you  
> could send a single packet that would result in a huge amount of
> traffic being sent to your victim.
> 
> If you found a large enough network, you could successfully take your  
> victim offline from your home machine connected to AOL at 9600 Bps.
> 
> This is pretty much the same concept, just applied in a new and  
> creative way. Someone makes a request for a root name server which
> is a small query that generates a large response. You change
> the source address to the IPs you want to DDoS and eventually their  
> pipes are so clogged with DNS traffic they eventually become
> unreachable.

Thanks, I understand that part now.  What I don't get as far as my setup
is concerned is that when I try to run the "dig . NS @yournameserver"
test against my name servers I get:
;; connection timed out; no servers could be reached
which means my servers are secure, no?  However I was seeing the same
sort of high load from

66.230.128.15
66.230.160.1
69.50.142.11
69.50.142.110
76.9.16.171
76.9.31.42

as Max originally reported.  So since I'm not returning anything to the
"." query yet I am getting hit with repeated queries from the IPs above,
doesn't it stand to reason that my servers are the ones getting DDoSed
and not the other way around?

-- 
Yarema

More information about the talk mailing list