[nycbug-talk] dns abuse

Yarema yds at CoolRat.org
Wed Jan 21 11:48:04 EST 2009

Steven Kreuzer wrote:
> On Jan 21, 2009, at 10:50 AM, Yarema wrote:
>> Steven Kreuzer wrote:
>>> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote:
>>>> Hi all,
>>>> saw a huge spike in root zone ns queries on my servers starting this
>>>> friday 16th
>>>> Heres a sample log:
>>>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
>>>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
>>>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
>>>> some machines query as often as 20-30 times a minute. No idea why  
>>>> this
>>>> would be happening, doesnt look like legitimate traffic to me..
>>>> Is anyone else experiencing this?
>>>> If you're having same issue, you can do this in pf to throttle it a
>>>> bit:
>>>> pass in quick on $ext inet proto udp from any to <server> port 53  
>>>> keep
>>>> state (max-src-states 1)
>>> Your DNS servers are/were being used for a DoS attack against
>>> and
>>> http://isc.sans.org/diary.html?storyid=5713
>> Steve, what makes you say that Max's DNS servers were used for a DDoS
>> attack against and  It seems to me like it's
>> the other way around..  But I haven't got my brain wrapped around this
>> one yet so I'm just looking to get enlightened on the matter.
> Remember the good ol days (1998) when you would send a single ICMP  
> echo requestto the broadcast address of a network and hundreds of
> machines on the network would send back an echo reply.
> If you changed the source address to address of some other host, you  
> could send a single packet that would result in a huge amount of
> traffic being sent to your victim.
> If you found a large enough network, you could successfully take your  
> victim offline from your home machine connected to AOL at 9600 Bps.
> This is pretty much the same concept, just applied in a new and  
> creative way. Someone makes a request for a root name server which
> is a small query that generates a large response. You change
> the source address to the IPs you want to DDoS and eventually their  
> pipes are so clogged with DNS traffic they eventually become
> unreachable.

Thanks, I understand that part now.  What I don't get as far as my setup
is concerned is that when I try to run the "dig . NS @yournameserver"
test against my name servers I get:
;; connection timed out; no servers could be reached
which means my servers are secure, no?  However I was seeing the same
sort of high load from

as Max originally reported.  So since I'm not returning anything to the
"." query yet I am getting hit with repeated queries from the IPs above,
doesn't it stand to reason that my servers are the ones getting DDoSed
and not the other way around?


More information about the talk mailing list