[dns-operations] DNS ANY record queries - Reflection Attacks

Robert Schwartz smellyspice at gmail.com
Tue Sep 11 15:09:15 UTC 2012

Hi All - Thanks for all the great responses. I'm glad to hear I'm not the
only one seeing this type of activity!

@Paul - Yes, I read about RRL on this list before, but like Mohamed, I'm
not using BIND. (We're running TinyDNS)

@Hauke - In our case, all the requests are for domains we are authoritative
for and the domains are not related (different customers domains being hit)
and there is no apparent increase in the number of non-existent record
queries in our logs. This would indicating the attacker has done their
homework, only sending in requests they know we will have an answer for;
ensuring maximum "reflection".

For anyone using the iptables solution posted in the link of my original
email, I had to tweak a few settings to get things working just right on
our setup:

1. I reduced the timers to --seconds 10 as our servers are too busy for a
60 second timeout, given the modules default "addresses to remember" limit
of 100  (ip_list_tot=100)

2. Requests with shorter domain names seemed to be getting by the
filtering, pushing the start of the 0000FF0001 fingerprint to before the
starting match point of 50. Changing the start point to 47 fixed this for

The other interesting thing I noticed about the attack packets, is that the
source port and transaction ID are transposed. This could be used to finger
print the abusive packets. Here's a few lines from our TinyDNS log (domain
names removed and time-codes converted to a reader friendly format):

2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff
2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff
2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff
2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff
2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff
2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff
2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff
2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff
2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff
2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff

The three sets of hex separated by colons represent Source IP:Source
Port:Transaction ID (tinydns log file format is explained here:
http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html )

Looking at the last line for example shows: source port: c6df and its
inverse ID: dfc6

Anyone else seeing this behaviour in their logs?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120911/e676360b/attachment.html>

More information about the dns-operations mailing list