Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
Dan Mahoney, System Admin
danm at prime.gushi.org
Thu Aug 5 18:08:46 UTC 2004
On Thu, 5 Aug 2004, Sten Carlsen wrote:
> Hi
>
> How about making a local zone for which you are authorative and return "no A
> record present". At least it will stop any recursive lookups.
I (or the customer, actually) *am* authoritative for elephaunt.org.
These are not recursive lookups. But I'm sure this is setting off
firewall logs at all the spoofed hosts, no matter what I return.
That's why I wanted the "silent ignore" option. You can do it per IP, but
not per zone.
-Dan
>
>
> Dan Mahoney wrote:
>
>> I'm presently dealing with a DNS server that's under attack, and is
>> being made to spew out DNS responses all over the internet, hundreds,
>> maybe thousands a second.
>>
>> I cannot trace the source IP to log it or ban it because it's
>> obviously forged, and there's enough DNS traffic on the wire that it's
>> suitably masked.
>>
>> I'd like to know if I can just somehow set bind to DROP all queries
>> for the domain in question. No response, no nothing, just silently
>> ignore them. It won't make the attack stop, but at least it'll stop
>> me from being used as a reflector.
>>
>> These domains don't even exist. I thought about redirecting an NS
>> record for these subdomains elsewhere, but it wouldn't really matter
>> since I think the attack is ignoring true DNS.
>>
>> Here's a quick log:
>>
>> Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spasm.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query:
>> spaz.elephaunt.org IN A
>> Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query:
>> spasm.elephaunt.org IN A
>>
>> Replies to this address are appreciated, although I will of course
>> check the group. danm at ezzi dot net is also useful.
>>
>>
>
>
--
"We need another cat. This one's retarded."
-Cali, March 8, 2003 (3:43 AM)
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the bind-users
mailing list