[dns-operations] DNS attack on small public server

Sat Jan 15 22:15:10 UTC 2011

This is a continuation of the discussion from the 'New subscribers' 
thread, but I want to give more detailed information here as to the 
symptoms I have been seeing.  To begin with, I run one of many public 
servers for the OpenNic project.  When I google for my IP, I find it 
listed in quite a number of discussions where folks wish to use an 
alternate DNS service from what their ISP provides, so the address is 
easily found and has been in use for several years.  Since the public 
servers from our project requires users to access OpenNic domain space 
as well as ICANN space, I of course have to allow full recursive 
lookups, and that in turn opens my server up to many forms of abuse.

Last year around July-August, I noticed my bandwidth being used up, and 
found huge numbers of queries coming from the same class-C subnet as my 
IP block, plus the subnet immediately above (*.*.83.*, *.*.84.*, and 
*.*.85.*).  Since my logs had shown no legitimate traffic from anyone 
else within my ISP, I simply blocked all queries from that range, and 
they stopped after a couple months.  This was the first I had heard of 
DNS amplification attacks, and I was told the activity looked 
suspiciously like that.

Move ahead to December, and I notice my bandwidth is again suddenly 
being swamped.  Based on information that I found, plus a suggestion 
from the new subscribers thread, and I find that all of the excessive 
queries match the following:

"#25345: view net: query: isc.org IN ANY +ED"

Some early monitoring discovered that I was typically getting about 
4,000 queries per minute from each specific IP, and these would come in 
bursts lasting between 5 and 15 minutes.  Most of the traffic is coming 
from a few specific subnets, and you can see that the queries are all 
using the same incoming port.

To combat this problem, I wrote up a simple BASH script which monitors 
the log file for the above string, and blocks (via iptables) any 
instance of more than 15 queries in 1 second, then removes the IP after 
10 minutes.  This script has continued to block these queries since I 
implemented it, without affecting legitimate traffic (and I'm still 
getting hits today).

I haven't looked much more into the problem since then, but I was told 
this mailing list might be interested in the information, and since I am 
still getting hits on this, I can easily disable the filter to get more 
detailed info if anyone would like it.