[dns-operations] DNS ANY record queries - Reflection Attacks

[Simon Munton]

We've been seeing 1000's of ANY queries/sec for many months, but use RRL 
to filter them, so haven't been too bothered - mostly hitting our Tokyo 
node.

http://stats.cdns.net/public/0.0.0.1/D4AE52-BBA337.html

But I can confirm we ARE getting the same pattern in the port & ID

I'm thinking a rate limiter in iptables using -u32 should be possible.


One thing we did notice was they use an impressively wide range of 
different domain names in their queries, leading us to wonder if it is 
just a simple reflection attack.



On 11/09/2012 16:09, Robert Schwartz wrote:
> The other interesting thing I noticed about the attack packets, is that
> the source port and transaction ID are transposed. This could be used to
> finger print the abusive packets. Here's a few lines from our TinyDNS
> log (domain names removed and time-codes converted to a reader friendly
> format):
>
> 2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff
> 2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff
> 2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff
> 2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff
> 2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff
>
> The three sets of hex separated by colons represent Source IP:Source
> Port:Transaction ID (tinydns log file format is explained here:
> http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html
> <http://www.dqd.com/%7Emayoff/notes/djbdns/tinydns-log.html> )