[nycbug-talk] dns abuse

Andy Kosela akosela at andykosela.com
Wed Jan 21 12:12:22 EST 2009


Yarema <yds at coolrat.org> wrote:

> I was seeing the same sort of high load from
>
> 66.230.128.15
> 66.230.160.1
> 69.50.142.11
> 69.50.142.110
> 76.9.16.171
> 76.9.31.42
>
> as Max originally reported.  So since I'm not returning anything to the
> "." query yet I am getting hit with repeated queries from the IPs above,
> doesn't it stand to reason that my servers are the ones getting DDoSed
> and not the other way around?

Those source ip's are spoofed. Dan's link can be helpful:

  http://isc.sans.org/diary.html?storyid=5713

As I understand it, there is no "proper" way to fix it in BIND9.  You
can block on your firewall any DNS query of 45 bytes length or globally
deny recursion and queries, allowing them only at the zones level.
Answering for

  dig . ns @ns_server

is a normal behavior even if the server is not allowing recursion.  I
wonder that exactly the same kind of DoS attack can be successful if
using com or net servers instead of root.  The payload would be similar.

--Andy



More information about the talk mailing list