[nycbug-talk] dns abuse
Dan Langille
dan at langille.org
Tue Jan 20 16:35:10 EST 2009
On Jan 20, 2009, at 3:39 PM, Steven Kreuzer wrote:
>
> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:
>
>> Hi all,
>> saw a huge spike in root zone ns queries on my servers starting this
>> friday 16th
>> Heres a sample log:
>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>>
>> some machines query as often as 20-30 times a minute. No idea why
>> this
>> would be happening, doesnt look like legitimate traffic to me..
>> Is anyone else experiencing this?
>>
>> If you're having same issue, you can do this in pf to throttle it a
>> bit:
>> pass in quick on $ext inet proto udp from any to <server> port 53
>> keep
>> state (max-src-states 1)
>
>
> Your DNS servers are/were being used for a DoS attack against
> 76.9.31.42 and 69.50.142.110
>
> http://isc.sans.org/diary.html?storyid=5713
Thank you for posting that.
At that article is a link to http://isc1.sans.org/dnstest.html which "
will test
a DNS server to make sure that it does not respond to the standard NS
requests for the root zone."
Nice.
--
Dan Langille
http://langille.org/
More information about the talk
mailing list