[dns-operations] New subscribers
Mark Andrews
marka at isc.org
Sun Jan 9 23:48:47 UTC 2011
In message <20110107160649.3f320761 at t61p>, John Kristoff writes:
> On Thu, 06 Jan 2011 12:32:39 -0700
> Jeff Taylor <shdwdrgn at sourpuss.net> wrote:
>
> > Another member of the project recommended I join this mailing list
> > due quite a number of DNS attacks via my servers since this Summer -
> > initially spoofing IP's within my local subnet, but most recently
> > they're just hammering my server directly with "isc.org ANY"
> > queries. If this topic is suitable for this group, let me know and
> > I'll open up a new thread with details.
>
> Awhile back I had seen this:
>
> 2010-03-28T10:19:27+00:00
> saddr: 24.138.162.251 (ASN 23184 / PERSONA COMMUNICATIONS INC / CA)
> sport: 51095
> query: IN ANY isc.org
> flags: rd, edns, dnssec ok
>
> I had asked the isc.org folks at the time and Paul stated it wasn't
> them. Never followed up to find out what it was. Compare to what you
> saw.
It's almost cerrtainly a attempted DNS amplification attack. The
source address and port will be forged. Very few stub clients
(RD=1) turn on EDNS or turn on DO yet (we do want them to do this
in the future however as it is the signature of a DNSSEC validating
application). You *will* see a packet like this if the targeted
nameserver is listed in the forwarders clause of another nameserver.
If you arn't being used as a forwarder you could almost certainly
filter out this query in a firewall by looking for all of the
following properties: CLASS=IN, TYPE=ANY, QNAME=isc.org, RD=1, QR=0,
EDNS=0 and DO=1.
If 24.138.162.251 isn't in the target population that you offer
recursive/query-cache service to then named will return REFUSED
unless you serve a parent zone in which case a referral will be
returned. This defeats the amplificication attack but doesn't stop
the response traffic.
> In November and December of last year I saw some widespread isc.org TXT
> queries coming from 217.79.190.53 if that is of interest to anyone.
>
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list