Interesting DOS attack against bind
Bjørn Mork
bmork at dod.no
Thu Aug 5 21:03:34 UTC 1999
Christopher McCrory <chrismcc at netus.com> writes:
> Hello...
>
> Someone today starting running an DOS attack against my name servers
> today or last night. I had several clients call with slow surfing
> complaints. After some poking around I found slow DNS lookups to be the
> problem. I did a "ndc querylog" on both servers and looked for patterns
> or anything unusual. I saw lots of "... named[17556]: XX
> /a.b.c.d/aol.com/MX" entries. The attack was simple, request MX records
> for aol.com once every second or two per ip address with 6 different
> spoofed ip addresses. Aol.com has a large MX entry. The querys are udp
> based so spoofing is simple. This consumed resources so everyone else's
> DNS lookups were (very) slow. My setup is dual PII 350 x 256Megs, bind
> 8.1.2, Linux kernel 2.2.x for both DNS servers.
See
<URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-07-29&msg=199907310000.AA154206596@sail.it>
> The solution was to use ipchains to discard (not reject) tcp and udp
> packets to port 53 from the apparent source addresses.
Which may also be a problem since the apparent source address is the real
target of the attack. But there is probably no other solution?
Bjørn
More information about the bind-users
mailing list