Bind ANY ANY Query Denial of Service
Vinny Abello
vinny at tellurian.com
Wed Aug 10 03:47:27 UTC 2005
At 11:39 PM 8/9/2005, Vinny Abello wrote:
>At 06:50 PM 8/9/2005, srv1054 at gmail.com wrote:
> >We are a large national ISP and we have a number of BIND DNS Caching
> >servers around the country for our customers.
> >
> >We've been victims of multiple Denial of Service attacks against our
> >BIND DNS servers. Now normally this isn't an issue because we do not
> >allow Recursion for IP's we don't own, as well as we can make use of
> >BIND's wonderful ability to blackhole IP #'s.
> >
> >The problem comes from this. We have out to our customer base a huge
> >number of CPE routers deployed that contain a bug which allows any IP
> >to query the CPE router for DNS and it will simply just forward the
> >request off to it's primary DNS server. The CPE is not smart, and the
> >way it's configured we can not disable the DNS settings, as well as it
> >is a massive undertaking to upgrade all the CPE in the field (tens of
> >thousands of them) to the latest patch in any reasonable amount of
> >time.
> >
> >The DoS attacks are targeted at our entire IP blocks, and because of
> >the above mentioned bug, any of these CPE that happen to get hit will
> >forward the DNS request to our caching servers. So it appears we are
> >being attacked by our own customer base. When this happens we get
> >thousands of queries from thousands of our own IP's that are all
> >querying for ANY ANY.
> >
> >To my knowledge ANY ANY is not a valid query and BIND simply returns a
> >list of ROOT servers.
> >
> >The problem now is that if we blackhole the IP's that this comes from,
> >we are blocking our customers from using DNS and it's not even their
> >fault.
> >
> >We've been around a million ways to solve this problem but we need a
> >fast way to make BIND not respond to this type of query, until we can
> >fix the greater problem which is patching all of the CPE to a version
> >that does not allow DNS forwarding from external interfaces. (ya
> >pretty dumb)
> >
> >The simple solution from our stand point is to have BIND not respond to
> >this type of query. And rather, just ignore the ANY ANY query or
> >blackhole it. I've included a sample from the QUERY logs to show what
> >we see when this happens.
> >
> >SHould it even be responding to ANY ANY queries? That seems invalid,
> >maybe this is a bug?
> >
> >Thousands and thousands of these from thousands of IP's:
> >
> >Aug 9 16:58:15 ns1.iad named[3718]: [ID 866145 local5.info] client
> >209.125.200.66#53: query: . ANY ANY +
> >Aug 9 15:58:14 ns1.ord named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >Aug 9 15:58:14 ns1.pdx named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >Aug 9 15:58:14 ns1.sjc named[27662]: [ID 866145 local5.info] client
> >72.20.18.17#6442: query: . ANY ANY +
> >
> >
> >Any help or direction you could provide is much appreciated.
>
>Assuming these attacks are originating outside of your network, can
>you simply block UDP/TCP 53 to you're customers CPE's? This will only
>break their resolution if the query is being sourced from 53 which it
>likely isn't. Just a suggestion...
In fact, block it from everywhere except from your DNS servers so if
they are trying to source from 53, they'll likely going to be using
your DNS servers as resolvers anyway and it'll work. Of course if
they are running their own DNS servers as resolvers sourcing from 53
and not using forwarders, this will still cause problems but you
could make exceptions.
That's just a quick and dirty thing to do in a pinch. If your
router/firewall can inspect the packets and detect that pattern and
block it, that would be more desirable obviously. As it was said
already though, fixing the CPE's would be my priority hopefully by
doing a firmware update.
Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
"Courage is resistance to fear, mastery of fear - not absence of
fear" -- Mark Twain
More information about the bind-users
mailing list