Strange DOS attack or just wacky config ....

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 12 01:02:10 UTC 2000 

If it were just a case of someone using you as a root server, you wouldn't
see many queries for TLD's; you'd see mostly the fully-qualified names of
whatever they were looking up, e.g. www.chrysler.com. On the other hand, if
this is a DOS attack, it sure is a stupid one, considering that you're not
recursing anywhere. I suspect that this may be one of those "let's compile
a database of every domain name in existence" morons at work, and your
nameserver just happened to be picked as the start of the data collection
process...


- Kevin

Gregory Whalin wrote:

> We have been seeing some strange happenings on our primary DNS server
> which seems to be causing us some issues.  At first I was convinced that
> this was some sort of DOS attack since the first instance hit from
> several IP's on a subnet out of Romania.  It now seems that several
> other IP's are hitting.  The log entries are due to the fact that we do
> not allow recursive queries from off site locations.  The strange thing
> is that it looks like these sites are using us as a root server.  If
> anyone has any thoughts or ideas, it would be greatly appreciated.  I am
> attaching a section of the logs to this message.  This is just a small
> section.  The "attack" seems to last for 15-20 minutes at a time and
> then come from another address.
>
> Thanks!
>
> Greg
>
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1819 for fr
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2134 for gov
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1961 for cz
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2760 for sk
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1756 for gov
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1074 for sk
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2580 for nrc.ca
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2010 for ca
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2570 for nrc.ca
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1879 for ca
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2710 for nu
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1280 for se
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1363 for nu
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2655 for psi.net
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2137 for se
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2198 for org
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1809 for psi.net
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2115 for arpa
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1921 for org
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1044 for es
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1420 for arpa
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1140 for ma
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1065 for es
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2557 for ac.in
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1370 for ma
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1531 for ro
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2898 for ac.in
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2490 for ac.cy
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1561 for ro
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2230 for edu
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2900 for ac.cy
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2804 for nl
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2648 for edu
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2565 for be
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2724 for nl
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2458 for fi
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1264 for be
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2900 for ac.uk
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1712 for fi
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2073 for it
> Seep  1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1222 for ac.uk
> Seep  1 04:46:40 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2626 for sh
>
> --
> Gregory Whalin
> gwhalin at clickthebutton.com

More information about the bind-users mailing list