Interesting DOS attack against bind
Christopher McCrory
chrismcc at netus.com
Thu Aug 5 20:16:16 UTC 1999
Hello...
Someone today starting running an DOS attack against my name servers
today or last night. I had several clients call with slow surfing
complaints. After some poking around I found slow DNS lookups to be the
problem. I did a "ndc querylog" on both servers and looked for patterns
or anything unusual. I saw lots of "... named[17556]: XX
/a.b.c.d/aol.com/MX" entries. The attack was simple, request MX records
for aol.com once every second or two per ip address with 6 different
spoofed ip addresses. Aol.com has a large MX entry. The querys are udp
based so spoofing is simple. This consumed resources so everyone else's
DNS lookups were (very) slow. My setup is dual PII 350 x 256Megs, bind
8.1.2, Linux kernel 2.2.x for both DNS servers.
The solution was to use ipchains to discard (not reject) tcp and udp
packets to port 53 from the apparent source addresses. with
ipchains:
ipchains -A input -p udp -s a.b.c.0/24 -d my_subnet/24 domain -j DENY
ipchains -A input -p tcp -s a.b.c.0/24 -d my_subnet/24 domain -j DENY
for each remote ip range on each local server.
I hope this helps anyone else in a similar situation.
Does anyone have a DNS log parser that would strip out local DNS
requests and remote DNS for local domains and show external querys for
external domains? Could this be a bind stats dump option already that I
havent seen?
--
Christopher McCrory
Lead Bithead, Netus Inc.
chrismcc at netus.com
admin at netus.com
"Linux: Because rebooting is for adding new hardware"
More information about the bind-users
mailing list