[nycbug-talk] dns abuse
Andy Kosela
akosela at andykosela.com
Wed Jan 21 12:12:22 EST 2009
Yarema <yds at coolrat.org> wrote:
> I was seeing the same sort of high load from
>
> 66.230.128.15
> 66.230.160.1
> 69.50.142.11
> 69.50.142.110
> 76.9.16.171
> 76.9.31.42
>
> as Max originally reported. So since I'm not returning anything to the
> "." query yet I am getting hit with repeated queries from the IPs above,
> doesn't it stand to reason that my servers are the ones getting DDoSed
> and not the other way around?
Those source ip's are spoofed. Dan's link can be helpful:
http://isc.sans.org/diary.html?storyid=5713
As I understand it, there is no "proper" way to fix it in BIND9. You
can block on your firewall any DNS query of 45 bytes length or globally
deny recursion and queries, allowing them only at the zones level.
Answering for
dig . ns @ns_server
is a normal behavior even if the server is not allowing recursion. I
wonder that exactly the same kind of DoS attack can be successful if
using com or net servers instead of root. The payload would be similar.
--Andy
More information about the talk
mailing list