[dns-operations] Interesting log analysis

Bob Harold rharolde at umich.edu
Thu Apr 4 14:44:50 UTC 2013 

I too noticed long ago that port 25345 was being used by the majority of
attacks, so I limited it for a while and recently have blocked DNS "ANY"
packets from port 25345 completely.  If a legitimate query matches that, it
should be retried on a different port, so I don't think I will have a
significant 'false positive' problem.  I next rate limit "ANY" queries.
 Both of those are done with iptables.  I plan to use rrl in BIND to rate
limit what is left, but I am having trouble getting it to work correctly.

Depending on your traffic, the 1000 queries from the same port might be
normal, but for "ANY ISC.ORG" it does look awfully high.

-- 
Bob Harold
University of Michigan



> Date: Wed, 3 Apr 2013 10:29:30 -0400
> From: WBrown at e1b.org
> To: dns-operations at lists.dns-oarc.net
> Subject: [dns-operations] Intersting log analysis
> Message-ID:
>         <OF1B491054.F3140DF8-ON85257B42.004E3595-85257B42.004F9A98 at e1b.org
> >
> Content-Type: text/plain; charset="US-ASCII"
>
> I noticed that queries for isc.org would come from numerous IP addresses
> but the source port would be consistent for long period of times.  A
> little jiggery  with daemon.log and I got the report below where first
> column is the number of occurrences of the source port (# separator
> changed to space for sort/uniq field definition).  The port number is the
> only field I used in this, IP address below is just one of many hits for
> that port.
>
> Commands used were:
>
> sed -e s/#/\ / /var/log/daemon.log |sort -k 8 > ~/sorted
> uniq -c -d -f 8 ~/sorted |sort -n -r -k 1 |more
>
> Does it make sense to look at source port for any level of rate limiting?
>
> 4085406 Apr  1 00:00:00 ns3 named[3407]: client 178.32.36.37 25345
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>  113613 Apr  1 00:06:28 ns3 named[3407]: client 5.135.134.141 26451
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>   37086 Apr  2 00:10:44 ns3 named[3407]: client 108.59.9.97 49940
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    6388 Apr  1 17:22:07 ns3 named[3407]: client 91.102.165.40 41819
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    5703 Apr  3 01:28:24 ns3 named[3407]: client 178.32.62.37 57335
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    4513 Apr  3 01:41:15 ns3 named[3407]: client 69.60.109.62 32743
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    4009 Apr  1 13:29:08 ns3 named[3407]: client 85.180.66.207 28943
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    3410 Apr  1 21:18:15 ns3 named[3407]: client 5.135.134.141 38299
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    3225 Apr  3 02:07:16 ns3 named[3407]: client 46.105.191.93 31198
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    2505 Apr  1 00:01:18 ns3 named[3407]: limit  responses to
> 216.226.125.0/24
>    2504 Apr  1 00:01:06 ns3 named[3407]: stop limiting error responses to
> 216.226.125.0/24
>    2280 Mar 31 22:55:43 ns3 named[3407]: client 5.135.134.141 18406
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    2231 Apr  2 00:10:44 ns3 named[3407]: client 108.59.9.97 53501
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    2178 Apr  1 15:49:56 ns3 named[3407]: client 178.32.244.171 45813
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1845 Apr  2 18:20:23 ns3 named[3407]: client 62.75.246.181 14716
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1704 Mar 31 15:20:48 ns3 named[3407]: client 176.31.24.240 35853
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1325 Apr  1 14:27:54 ns3 named[3407]: client 37.43.129.10 14898
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1049 Apr  1 18:45:47 ns3 named[3407]: client 178.32.62.37 34424
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1043 Apr  1 20:40:06 ns3 named[3407]: client 5.135.134.141 48733
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1033 Apr  1 13:29:08 ns3 named[3407]: client 85.180.66.207 43639
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>    1022 Apr  1 19:02:39 ns3 named[3407]: client 208.98.0.3 61182
> (isc.org): query (cache) 'isc.org/ANY/IN' denied
>
> These are all records where count was above 1000.
>
> --
>
> William Brown
> Core Hosted Application Technical Team and Messaging Team
> Technology Services, WNYRIC, Erie 1 BOCES
> (716) 821-7285
>
>
>
>
> Confidentiality Notice:
> This electronic message and any attachments may contain confidential or
> privileged information, and is intended only for the individual or entity
> identified above as the addressee. If you are not the addressee (or the
> employee or agent responsible to deliver it to the addressee), or if this
> message has been addressed to you in error, you are hereby notified that
> you may not copy, forward, disclose or use any part of this message or any
> attachments. Please notify the sender immediately by return e-mail or
> telephone and delete this message from your system.
>
>
> ------------------------------
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> End of dns-operations Digest, Vol 87, Issue 7
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130404/215a793d/attachment.html>

More information about the dns-operations mailing list