[nycbug-talk] dns abuse

Yarema yds at CoolRat.org
Wed Jan 21 10:50:31 EST 2009 

Steven Kreuzer wrote:
> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:
> 
>> Hi all,
>> saw a huge spike in root zone ns queries on my servers starting this
>> friday 16th
>> Heres a sample log:
>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>>
>> some machines query as often as 20-30 times a minute. No idea why this
>> would be happening, doesnt look like legitimate traffic to me..
>> Is anyone else experiencing this?
>>
>> If you're having same issue, you can do this in pf to throttle it a  
>> bit:
>> pass in quick on $ext inet proto udp from any to <server> port 53 keep
>> state (max-src-states 1)
> 
> 
> Your DNS servers are/were being used for a DoS attack against  
> 76.9.31.42 and 69.50.142.110
> 
> http://isc.sans.org/diary.html?storyid=5713

Steve, what makes you say that Max's DNS servers were used for a DDoS
attack against 76.9.31.42 and 69.50.142.110?  It seems to me like it's
the other way around..  But I haven't got my brain wrapped around this
one yet so I'm just looking to get enlightened on the matter.

I use djbdns with tinydns on the outward facing interface serving only
authoritative responses.  And dnscache on the localhost and/or LAN
interfaces.  That said I've been hit by this same sort of DDoS attack
also starting around Jan 16th.  I first noticed it on the morning of the
17th.

The test of my DNS servers from http://isc1.sans.org/dnstest.html returns:

"I am not able to connect to your server, and as a result can't tell if
your server is configured right. However, if your server is not
reachable, it is secure as far as this test is concerned"

I guess that's good.

My remedy has been to add each IP that I notice repeatedly querying for
the root "." domain to the blacklist table in my pf rules.  So far I've
collected the following IPs:

66.230.128.15
66.230.160.1

69.50.142.11
69.50.142.110
76.9.16.171

With the above blocked I get no "." queries in the tinydns log file.
Otherwise pftop would show upto a 100 pf states on UDP 53 when my normal
average tops out at around 30 states, but usually hovers around 10 or 15.

Note that I added 66.230.128.15 and 66.230.160.1 just this morning.
They have not previously hit my servers.  Nor has 76.9.31.42 hit my
servers, though 76.9.16.171 did.

-- 
Yarema

More information about the talk mailing list