[nycbug-talk] dns abuse

Steven Kreuzer skreuzer at exit2shell.com
Tue Jan 20 15:39:45 EST 2009


On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:

> Hi all,
> saw a huge spike in root zone ns queries on my servers starting this
> friday 16th
> Heres a sample log:
> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>
> some machines query as often as 20-30 times a minute. No idea why this
> would be happening, doesnt look like legitimate traffic to me..
> Is anyone else experiencing this?
>
> If you're having same issue, you can do this in pf to throttle it a  
> bit:
> pass in quick on $ext inet proto udp from any to <server> port 53 keep
> state (max-src-states 1)


Your DNS servers are/were being used for a DoS attack against  
76.9.31.42 and 69.50.142.110

http://isc.sans.org/diary.html?storyid=5713

--
Steven Kreuzer
http://www.exit2shell.com/~skreuzer




More information about the talk mailing list