Strange DOS attack or just wacky config ....
Kevin Darcy
kcd at daimlerchrysler.com
Tue Sep 12 01:02:10 UTC 2000
If it were just a case of someone using you as a root server, you wouldn't
see many queries for TLD's; you'd see mostly the fully-qualified names of
whatever they were looking up, e.g. www.chrysler.com. On the other hand, if
this is a DOS attack, it sure is a stupid one, considering that you're not
recursing anywhere. I suspect that this may be one of those "let's compile
a database of every domain name in existence" morons at work, and your
nameserver just happened to be picked as the start of the data collection
process...
- Kevin
Gregory Whalin wrote:
> We have been seeing some strange happenings on our primary DNS server
> which seems to be causing us some issues. At first I was convinced that
> this was some sort of DOS attack since the first instance hit from
> several IP's on a subnet out of Romania. It now seems that several
> other IP's are hitting. The log entries are due to the fact that we do
> not allow recursive queries from off site locations. The strange thing
> is that it looks like these sites are using us as a root server. If
> anyone has any thoughts or ideas, it would be greatly appreciated. I am
> attaching a section of the logs to this message. This is just a small
> section. The "attack" seems to last for 15-20 minutes at a time and
> then come from another address.
>
> Thanks!
>
> Greg
>
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1819 for fr
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2134 for gov
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1961 for cz
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2760 for sk
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1756 for gov
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1074 for sk
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2580 for nrc.ca
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2010 for ca
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2570 for nrc.ca
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1879 for ca
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2710 for nu
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1280 for se
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1363 for nu
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2655 for psi.net
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2137 for se
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2198 for org
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1809 for psi.net
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2115 for arpa
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1921 for org
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1044 for es
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1420 for arpa
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1140 for ma
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1065 for es
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2557 for ac.in
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1370 for ma
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1531 for ro
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2898 for ac.in
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2490 for ac.cy
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1561 for ro
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2230 for edu
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2900 for ac.cy
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2804 for nl
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2648 for edu
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2565 for be
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2724 for nl
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2458 for fi
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1264 for be
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2900 for ac.uk
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1712 for fi
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2073 for it
> Seep 1 04:46:39 mail named[17879]: unapproved recursive query from
> [212.93.140.55].1222 for ac.uk
> Seep 1 04:46:40 mail named[17879]: unapproved recursive query from
> [212.93.140.55].2626 for sh
>
> --
> Gregory Whalin
> gwhalin at clickthebutton.com
More information about the bind-users
mailing list