Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
Joseph Hallford
jdh at storeswehost.com
Thu Aug 5 17:36:59 UTC 2004
I would like to highly recommend the following:
http://www.cymru.com/Documents/secure-bind-template.html
Works great for me, YMMV.
Joseph Hallford
StoresWeHost.com
Quoting Sten Carlsen <ccc2716 at vip.cybercity.dk>:
> Hi
>
> How about making a local zone for which you are authorative and return
> "no A record present". At least it will stop any recursive lookups.
>
>
> Dan Mahoney wrote:
>
> >I'm presently dealing with a DNS server that's under attack, and is
> >being made to spew out DNS responses all over the internet, hundreds,
> >maybe thousands a second.
> >
> >I cannot trace the source IP to log it or ban it because it's
> >obviously forged, and there's enough DNS traffic on the wire that it's
> >suitably masked.
> >
> >I'd like to know if I can just somehow set bind to DROP all queries
> >for the domain in question. No response, no nothing, just silently
> >ignore them. It won't make the attack stop, but at least it'll stop
> >me from being used as a reflector.
> >
> >These domains don't even exist. I thought about redirecting an NS
> >record for these subdomains elsewhere, but it wouldn't really matter
> >since I think the attack is ignoring true DNS.
> >
> >Here's a quick log:
> >
> >Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spasm.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
> >spaz.elephaunt.org IN A
> >Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
> >spasm.elephaunt.org IN A
> >
> >Replies to this address are appreciated, although I will of course
> >check the group. danm at ezzi dot net is also useful.
> >
> >
> >
>
> --
> Best regards
>
> Sten Carlsen
>
> Let HIM who has an empty INBOX send the first mail.
>
>
>
More information about the bind-users
mailing list