Bind ANY ANY Query Denial of Service
Vinny Abello
vinny at tellurian.com
Wed Aug 10 03:39:50 UTC 2005
At 06:50 PM 8/9/2005, srv1054 at gmail.com wrote:
>We are a large national ISP and we have a number of BIND DNS Caching
>servers around the country for our customers.
>
>We've been victims of multiple Denial of Service attacks against our
>BIND DNS servers. Now normally this isn't an issue because we do not
>allow Recursion for IP's we don't own, as well as we can make use of
>BIND's wonderful ability to blackhole IP #'s.
>
>The problem comes from this. We have out to our customer base a huge
>number of CPE routers deployed that contain a bug which allows any IP
>to query the CPE router for DNS and it will simply just forward the
>request off to it's primary DNS server. The CPE is not smart, and the
>way it's configured we can not disable the DNS settings, as well as it
>is a massive undertaking to upgrade all the CPE in the field (tens of
>thousands of them) to the latest patch in any reasonable amount of
>time.
>
>The DoS attacks are targeted at our entire IP blocks, and because of
>the above mentioned bug, any of these CPE that happen to get hit will
>forward the DNS request to our caching servers. So it appears we are
>being attacked by our own customer base. When this happens we get
>thousands of queries from thousands of our own IP's that are all
>querying for ANY ANY.
>
>To my knowledge ANY ANY is not a valid query and BIND simply returns a
>list of ROOT servers.
>
>The problem now is that if we blackhole the IP's that this comes from,
>we are blocking our customers from using DNS and it's not even their
>fault.
>
>We've been around a million ways to solve this problem but we need a
>fast way to make BIND not respond to this type of query, until we can
>fix the greater problem which is patching all of the CPE to a version
>that does not allow DNS forwarding from external interfaces. (ya
>pretty dumb)
>
>The simple solution from our stand point is to have BIND not respond to
>this type of query. And rather, just ignore the ANY ANY query or
>blackhole it. I've included a sample from the QUERY logs to show what
>we see when this happens.
>
>SHould it even be responding to ANY ANY queries? That seems invalid,
>maybe this is a bug?
>
>Thousands and thousands of these from thousands of IP's:
>
>Aug 9 16:58:15 ns1.iad named[3718]: [ID 866145 local5.info] client
>209.125.200.66#53: query: . ANY ANY +
>Aug 9 15:58:14 ns1.ord named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>Aug 9 15:58:14 ns1.pdx named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>Aug 9 15:58:14 ns1.sjc named[27662]: [ID 866145 local5.info] client
>72.20.18.17#6442: query: . ANY ANY +
>
>
>Any help or direction you could provide is much appreciated.
Assuming these attacks are originating outside of your network, can
you simply block UDP/TCP 53 to you're customers CPE's? This will only
break their resolution if the query is being sourced from 53 which it
likely isn't. Just a suggestion...
Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
"Courage is resistance to fear, mastery of fear - not absence of
fear" -- Mark Twain
More information about the bind-users
mailing list