Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
Kevin Darcy
kcd at daimlerchrysler.com
Thu Aug 5 22:52:24 UTC 2004
For the future, perhaps it might be useful for "blackhole" to be
available as a zone option as well as a global option, but currently I
see no way for BIND to help you in your predicament.
It should be possible, however, to craft router filters and/or firewall
rules to drop packets querying a particular name.
- Kevin
Dan Mahoney, System Admin wrote:
>On Thu, 5 Aug 2004, Sten Carlsen wrote:
>
>
>
>>Dan Mahoney, System Admin wrote:
>>
>>
>>
>>>On Thu, 5 Aug 2004, Sten Carlsen wrote:
>>>
>>>
>>>
>>>>Hi
>>>>
>>>>How about making a local zone for which you are authorative and return
>>>>"no A record present". At least it will stop any recursive lookups.
>>>>
>>>>
>>>I (or the customer, actually) *am* authoritative for elephaunt.org. These
>>>are not recursive lookups. But I'm sure this is setting off firewall logs
>>>at all the spoofed hosts, no matter what I return.
>>>
>>>That's why I wanted the "silent ignore" option. You can do it per IP, but
>>>not per zone.
>>>
>>>-Dan
>>>
>>>
>>>
>>Ok, then I guess you just have to serve out answers, I doubt you could
>>determine which question is "real" and which is "noise".
>>
>>
>
>Anything for the non-existent zone spaz.elephaunt.org is noise.
>
>-Dan
>
>
>
>>>>Dan Mahoney wrote:
>>>>
>>>>
>>>>
>>>>>I'm presently dealing with a DNS server that's under attack, and is
>>>>>being made to spew out DNS responses all over the internet, hundreds,
>>>>>maybe thousands a second.
>>>>>
>>>>>I cannot trace the source IP to log it or ban it because it's
>>>>>obviously forged, and there's enough DNS traffic on the wire that it's
>>>>>suitably masked.
>>>>>
>>>>>I'd like to know if I can just somehow set bind to DROP all queries
>>>>>for the domain in question. No response, no nothing, just silently
>>>>>ignore them. It won't make the attack stop, but at least it'll stop
>>>>>me from being used as a reflector.
>>>>>
>>>>>These domains don't even exist. I thought about redirecting an NS
>>>>>record for these subdomains elsewhere, but it wouldn't really matter
>>>>>since I think the attack is ignoring true DNS.
>>>>>
>>>>>Here's a quick log:
>>>>>
>>>>>Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spasm.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
>>>>>spaz.elephaunt.org IN A
>>>>>Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>>>>>spasm.elephaunt.org IN A
>>>>>
>>>>>Replies to this address are appreciated, although I will of course
>>>>>check the group. danm at ezzi dot net is also useful.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>--
>>>
>>>"We need another cat. This one's retarded."
>>>
>>>-Cali, March 8, 2003 (3:43 AM)
>>>
>>>--------Dan Mahoney--------
>>>Techie, Sysadmin, WebGeek
>>>Gushi on efnet/undernet IRC
>>>ICQ: 13735144 AIM: LarpGM
>>>Site: http://www.gushi.org
>>>---------------------------
>>>
>>>
>>>
>>-- Best regards
>>
>>Sten Carlsen
>>
>>Let HIM who has an empty INBOX send the first mail.
>>
>>
>>
>
>--
>
>"Be happy. Try not to hurt each other. Hope you fall in love."
>
>--Mallory, Family Ties Finale (on the meaning of life)
>
>--------Dan Mahoney--------
>Techie, Sysadmin, WebGeek
>Gushi on efnet/undernet IRC
>ICQ: 13735144 AIM: LarpGM
>Site: http://www.gushi.org
>---------------------------
>
>
>
>
>
>
>
More information about the bind-users
mailing list