[nycbug-talk] dns abuse

Yarema yds at CoolRat.org
Wed Jan 21 13:53:36 EST 2009


Andy Kosela wrote:
> Yarema <yds at coolrat.org> wrote:
> 
>> I was seeing the same sort of high load from
>>
>> 66.230.128.15
>> 66.230.160.1
>> 69.50.142.11
>> 69.50.142.110
>> 76.9.16.171
>> 76.9.31.42
>>
>> as Max originally reported.  So since I'm not returning anything to the
>> "." query yet I am getting hit with repeated queries from the IPs above,
>> doesn't it stand to reason that my servers are the ones getting DDoSed
>> and not the other way around?
> 
> Those source ip's are spoofed. Dan's link can be helpful:
> 
>   http://isc.sans.org/diary.html?storyid=5713
> 
> As I understand it, there is no "proper" way to fix it in BIND9.  You
> can block on your firewall any DNS query of 45 bytes length or globally
> deny recursion and queries, allowing them only at the zones level.
> Answering for
> 
>   dig . ns @ns_server
> 
> is a normal behavior even if the server is not allowing recursion.  I
> wonder that exactly the same kind of DoS attack can be successful if
> using com or net servers instead of root.  The payload would be similar.

Andy,

In my case I'm using djbdns' tinydsn, which by default does not allow
recursion.  And "dig . ns @ns_server" returns

;; connection timed out; no servers could be reached

even though the unsuccessful query is logged by tinydns.

I can't say enough good things about djbdns.  Much simpler to administer
than BIND and in the 10 years I've been using it I've yet to upgrade or
tweak anything in djbdns itself because of a security issue.  This
latest incident included.

I blocked the above IPs to relieve the load on port 53, but so far as I
can tell my servers were not contributing to any DDoSing since they
returns nothing to the . NS  query.

-- 
Yarema



More information about the talk mailing list