[dns-operations] "NS .", the attack of the month?

Geoffrey Sisson geoff at geoff.co.uk
Thu Jan 29 22:50:52 UTC 2009 

dagon at cc.gatech.edu (David Dagon) wrote:

> On Sat, Jan 24, 2009 at 11:05:40PM +0100, Stephane Bortzmeyer wrote:
> > It is still trendy, apparently. As I watch one recursive name server
> > (but I see nothing on many others), I see a 2-3 p/s "NS ." queries
> > claiming to come from 206.71.158.30 and even from 66.230.160.1
> > (pretending ISPrime).
> > 
> > Still no perfect solution for it?
> > 
> > At least dnscap is great to watch it:
> > 
> > sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
> > 
> > Any way with dnscap to restrict the QTYPE of the query?
>
> I don't see a man page suggestion.  But I think pipes between dnscap
> and tcpdump can be used.
>
> The difficulty is that qtype comes after the qname, which can be a
> variable length.  But dnscap can also dump binary output to stdout
> with the "-w -" argument.
>
> So one might use your expression above to filter for only "." queries,
> and then use tcpdump to & for the desired qtype, and then pipe that
> output to another dnscap process for easy visual display or further
> processing.  I've not tried this, but something like this may be
> close:
>
>   sudo dnscap -i eth0 -w -  -s i -x '^\.$'  \
>        | tcpdump -r - -w - udp[${OFFSET}] & ${QTYPE} = 0 \
>        | dnscap -r - -w isprime-attack -g 2>&1
>
> Now you just need to figure out OFFSET---it will be a fixed number of
> bytes since the length of qname is 1 (plus the runlength byte and
> terminating bytes); I can't recall off hand.
>
> I believe QTYPE should be '2' for NS.

This tcpdump expression seems to be effective for capturing the current
isprime attack activity, since the offsets don't change:

tcpdump -n -s 0 -w isprime.raw '
	udp dst port 53 and
	(udp[10] & 0x80 = 0) and
	udp[12] = 0 and
	udp[13] = 1 and
	udp[20] = 0 and
	udp[21] = 0 and
	udp[22] = 2 and
	udp[23] = 0 and
	udp[24] = 1
'


In other words:

	(udp[10] & 0x80 = 0)		# QR = 1

	udp[12] = 0 and	udp[13] = 1	# QDCOUNT = 1

	udp[20] = 0			# QNAME = '.'

	udp[21] = 0 and	udp[22] = 2	# QTYPE = NS

	udp[23] = 0 and	udp[24] = 1	# QCLASS = IN


You can probably even omit the checks for QDCOUNT and QCLASS, e.g.:

tcpdump -n -s 0 -w isprime.raw '
	udp dst port 53 and
	(udp[10] & 0x80 = 0) and
	udp[20] = 0 and
	udp[21] = 0 and
	udp[22] = 2
'


Of course the attack could be trivially modified to use any query that
would reliably provoke an upward referral, e.g. QNAME = 'a.' QTYPE = TXT.

More information about the dns-operations mailing list