[dns-operations] annoying DDoS attack on ns0.rfc1035.com

DTNX Postmaster postmaster at dtnx.net
Sun Jun 10 08:19:24 UTC 2012 

On Jun 10, 2012, at 07:10, Jim Reid wrote:

> My name server has been getting hammered with queries for ihren.org -- one of the zones it serves -- since around 00:00 GMT today. [The attack may have started earlier and I just didn't notice it.] The box is getting ~400 qps for this name. The queries come from the same IP address, just repeating over and over. The source port number changes after 25 queries or so. As soon as I get BIND to blackhole the offending prefix, another host pops up to take its place: repeated queries at with a broken UDP checksum from a single IP address at a time.
> 
> Most of these IP addresses belong to N. American cable companies. I've not yet been in touch with their abuse PoCs and a ticket's been opened with my ISP.
> 
> There's clearly a botnet at work. Buy why target one of Johan's personal domain names and/or my server? The box doesn't host anything controversial or important like a TLD: just my mail service and DNS for friends and family. Which is of course very important to me. :-)
> 
> Is it worth trying to find the ultimate source of this attack? If so, how? Is anyone else here seeing similar behaviour?
> 
> At present, the attack is an irritant. I get a 300MB query log file in about an hour. The log files have been filled and rotated so quickly, I can't tell when the attack actually started.
> 
> In case anyone cares, here's a traffic summary for what's been logged for today's activity: timestamp (UTC + 1H), source IP address and number of queries.

What type of queries? We have something similar happening with one of 
our client domains, and they are all ANY queries from a wide variety of 
IP ranges, mostly from China. Blackhole one range, and it swaps over.

https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261

The iptables rules mentioned in the first comment work well for us, so 
far, and it works better than the log parsing we did until now. The odd 
thing is that it's just the one domain, the same type of query, on the 
same (secondary) server. Over and over.

Also, and I've seen this mentioned elsewhere as well; they kinda stick 
to certain times of the day, like someone is waking up, and starting 
another batch of queries.

This is what it looked like with just the automatic IP blacklist, 
number of ANY queries per hour;

20120601-0000 : 44
20120601-0100 : 53
20120601-0200 : 8933
20120601-0300 : 608
20120601-0400 : 1020
20120601-0500 : 813
20120601-0600 : 1364
20120601-0700 : 1176
20120601-0800 : 1568
20120601-0900 : 1247
20120601-1000 : 1804
20120601-1100 : 553
20120601-1200 : 155
20120601-1300 : 533
20120601-1400 : 459
20120601-1500 : 64
20120601-1600 : 60
20120601-1700 : 51
20120601-1800 : 73
20120601-1900 : 53
20120601-2000 : 29
20120601-2100 : 34
20120601-2200 : 24
20120601-2300 : 45

20120602-0000 : 39
20120602-0100 : 33
20120602-0200 : 33
20120602-0300 : 35
20120602-0400 : 553
20120602-0500 : 595
20120602-0600 : 598
20120602-0700 : 2369
20120602-0800 : 3619
20120602-0900 : 1807
20120602-1000 : 608
20120602-1100 : 703
20120602-1200 : 142
20120602-1300 : 2694
20120602-1400 : 41
20120602-1500 : 44
20120602-1600 : 933
20120602-1700 : 28
20120602-1800 : 36
20120602-1900 : 33
20120602-2000 : 31
20120602-2100 : 23
20120602-2200 : 26
20120602-2300 : 34

20120603-0000 : 29
20120603-0100 : 34
20120603-0200 : 30
20120603-0300 : 22
20120603-0400 : 29
20120603-0500 : 1405
20120603-0600 : 613
20120603-0700 : 306
20120603-0800 : 593
20120603-0900 : 1124
20120603-1000 : 578
20120603-1100 : 103
20120603-1200 : 687
20120603-1300 : 688
20120603-1400 : 584
20120603-1500 : 1144
20120603-1600 : 637
20120603-1700 : 662
20120603-1800 : 34
20120603-1900 : 38
20120603-2000 : 33
20120603-2100 : 26
20120603-2200 : 32
20120603-2300 : 39

And this is with the iptables based rate limiter in place;

20120608-0000 : 32
20120608-0100 : 29
20120608-0200 : 21
20120608-0300 : 19
20120608-0400 : 19
20120608-0500 : 14
20120608-0600 : 12
20120608-0700 : 41
20120608-0800 : 37
20120608-0900 : 35
20120608-1000 : 60
20120608-1100 : 139
20120608-1200 : 97
20120608-1300 : 57
20120608-1400 : 74
20120608-1500 : 88
20120608-1600 : 35
20120608-1700 : 39
20120608-1800 : 36
20120608-1900 : 29
20120608-2000 : 27
20120608-2100 : 24
20120608-2200 : 20
20120608-2300 : 17

Times are CET.

If yours is completely different and I am missing something, apologies 
:-)  Hopefully the data will be useful to some, it's taken us quite a 
while to figure out as a small operator.

Rgds,
Jona

More information about the dns-operations mailing list