[dns-operations] Recently closed open resolver and reflection attacks
Mark Andrews
marka at isc.org
Thu Mar 7 00:20:58 UTC 2013
In message <OFCF702966.7607757E-ON85257B26.005775D2-85257B26.005B3771 at e1b.org>,
WBrown at e1b.org writes:
> I recently help close down an open recursive resolver. It is still
> getting a lot of queries for isc.org/ANY which get a refused response
> (unless slipped/dropped by RRL). Granted, this doesn't amplify the attack
> since REFUSED is a fairly small packet, but it is still traffic to the
> attacked site.
>
> Given that no properly configured server should be querying this recursive
> name server for isc.org, why should it respond with anything? Why not
> just drop the packet for any recursive request if it is not going to
> answer it. I supposed in the good old days, it was polite to say, "Sorry,
> I can't answer that." We also used to accept unsolicited commercial
> emails. The RFCs state we should either reject during SMTP or if we
> accept a message, we should either deliver or generate a delivery failure.
> Now we filter and drop spam on the floor.
It is still polite. Delegations to servers not configured for a
zone happen all the time. Go look at the logs of any recursive
server that reports these.
Mark
% grep REFUSED /Library/Logs/named.log
05-Mar-2013 07:13:43.692 error (unexpected RCODE REFUSED) resolving 'jlc.net/NS/IN': 216.177.0.15#53
05-Mar-2013 07:13:43.808 error (unexpected RCODE REFUSED) resolving '_adsp._domainkey.jlc.net/TXT/IN': 216.177.0.15#53
05-Mar-2013 07:13:44.938 error (unexpected RCODE REFUSED) resolving 'ns2.jlc.net/A/IN': 192.156.97.61#53
05-Mar-2013 07:13:44.938 error (unexpected RCODE REFUSED) resolving 'ns1.jlc.net/A/IN': 192.156.97.61#53
05-Mar-2013 07:13:45.196 error (unexpected RCODE REFUSED) resolving 'ns2.jlc.net/A/IN': 192.156.97.193#53
05-Mar-2013 07:13:45.202 error (unexpected RCODE REFUSED) resolving 'ns1.jlc.net/A/IN': 192.156.97.193#53
06-Mar-2013 15:37:43.069 error (unexpected RCODE REFUSED) resolving 'www.openssl.org/AAAA/IN': 194.97.152.160#53
06-Mar-2013 15:37:43.073 error (unexpected RCODE REFUSED) resolving 'www.openssl.org/A/IN': 194.97.152.160#53
%
% grep lame /Library/Logs/named.log
04-Mar-2013 18:15:42.865 lame server resolving 'bartcentral.dommel.be' (in 'dommel.be'?): 193.109.184.66#53
04-Mar-2013 18:15:42.865 lame server resolving 'bartcentral.dommel.be' (in 'dommel.be'?): 193.109.184.66#53
05-Mar-2013 07:11:56.573 lame server resolving 'isdg.net' (in 'isdg.net'?): 198.6.1.65#53
05-Mar-2013 07:11:56.631 lame server resolving 'tms1._domainkey.isdg.net' (in 'isdg.net'?): 198.6.1.65#53
05-Mar-2013 07:11:57.603 lame server resolving '_adsp._domainkey.isdg.net' (in 'isdg.net'?): 2600:803:408:2::10#53
06-Mar-2013 15:37:55.502 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 217.115.143.130#53
06-Mar-2013 15:37:55.533 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 217.115.143.130#53
06-Mar-2013 15:37:55.843 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 80.237.128.1#53
06-Mar-2013 15:37:55.876 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 80.237.128.1#53
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list