[dns-operations] DNS attack on small public server
Jeff Taylor
shdwdrgn at sourpuss.net
Sat Jan 15 22:15:10 UTC 2011
This is a continuation of the discussion from the 'New subscribers'
thread, but I want to give more detailed information here as to the
symptoms I have been seeing. To begin with, I run one of many public
servers for the OpenNic project. When I google for my IP, I find it
listed in quite a number of discussions where folks wish to use an
alternate DNS service from what their ISP provides, so the address is
easily found and has been in use for several years. Since the public
servers from our project requires users to access OpenNic domain space
as well as ICANN space, I of course have to allow full recursive
lookups, and that in turn opens my server up to many forms of abuse.
Last year around July-August, I noticed my bandwidth being used up, and
found huge numbers of queries coming from the same class-C subnet as my
IP block, plus the subnet immediately above (*.*.83.*, *.*.84.*, and
*.*.85.*). Since my logs had shown no legitimate traffic from anyone
else within my ISP, I simply blocked all queries from that range, and
they stopped after a couple months. This was the first I had heard of
DNS amplification attacks, and I was told the activity looked
suspiciously like that.
Move ahead to December, and I notice my bandwidth is again suddenly
being swamped. Based on information that I found, plus a suggestion
from the new subscribers thread, and I find that all of the excessive
queries match the following:
"#25345: view net: query: isc.org IN ANY +ED"
Some early monitoring discovered that I was typically getting about
4,000 queries per minute from each specific IP, and these would come in
bursts lasting between 5 and 15 minutes. Most of the traffic is coming
from a few specific subnets, and you can see that the queries are all
using the same incoming port.
To combat this problem, I wrote up a simple BASH script which monitors
the log file for the above string, and blocks (via iptables) any
instance of more than 15 queries in 1 second, then removes the IP after
10 minutes. This script has continued to block these queries since I
implemented it, without affecting legitimate traffic (and I'm still
getting hits today).
I haven't looked much more into the problem since then, but I was told
this mailing list might be interested in the information, and since I am
still getting hits on this, I can easily disable the filter to get more
detailed info if anyone would like it.
More information about the dns-operations
mailing list