[dns-operations] annoying DDoS attack on ns0.rfc1035.com

Jan Inge Sande janinge_dnsoarc at zf.no
Sun Jun 10 16:20:43 UTC 2012


Den 10. juni 2012 kl. 16:11 skrev Paul Vixie:

> On 2012-06-10 8:45 AM, Jim Reid wrote:
>> On 10 Jun 2012, at 09:19, DTNX Postmaster wrote:
>>> The iptables rules mentioned in the first comment work well for us
>> 
>> Well for starters, I [dw]on't use Linux. The server runs FreeBSD.
> 
> what f-root has done for the last ten years (also on freebsd) is:
> 
> add     pipe 1          udp     from any to any 53 in
> pipe 1  config  mask src-ip 0xffffffff buckets 1024 bw 400Kbit/s queue 3
> add     pipe 2          tcp     from any to any 53 in
> pipe 2  config  mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
> 
> note, this approach, and the iptables approach, are inadequate since
> they look only at the query ip, whereas rate limiting has to take the
> desired response into account. i say desired response because one of the
> myriad attack formats of interest is <randomstring>.<domain> where
> "domain" is dnssec signed. here the desired response will be of the form
> "NXDOMAIN, proof from 'domain'". these have to be rate limited also, and
> there's no way to do that upstream of the name server. which brings me to:
> 
>> Besides, the damage is done by the time these packets hit the server's
>> ethernet card. At ~4000qps inbound, this is close to saturating the
>> server's VLAN in the data centre. The traffic needs to be blocked
>> before it reaches that. ...
> 
> i don't agree. 4Kqps is no big deal in input, it's the output that would
> cost you money. and as described above, there's no accurate rate
> limiting possible upstream of the name server; one has to know the
> proposed response before one can decide whether a given response ought
> to be dropped.

I'm seeing the same attack as Jim Reid described on one of my nameservers too (just found the "source"/target address on Gmane and signed up for the mailinglist), at ~3Kqps/1.3Mbits at the moment (in Germany, AS24940). No UDP checksum, the source address is set to 37.221.160.125 and ANY queries for a zone that isn't and haven't been in use (no records apart from DNSSEC, SOA and NS). I haven't seen anything on the other authoritative servers.

The attack have been going on at least since Thursday, when I noticed and stopped answering the queries. There were also several addresses targeted at that time. Here's a sample query:

0000   fd 35 01 00 00 01 00 00 00 00 00 01 08 62 61 63
0010   6f 6e 64 6e 73 03 62 69 7a 00 00 ff 00 01 00 00
0020   29 23 28 00 00 00 00 00 00

Jan Inge


More information about the dns-operations mailing list