Possible DOS Attack, but not sure.

Angela Williams angie at eoh.co.za
Thu Aug 3 13:08:15 UTC 2006 

On Wednesday 02 August 2006 16:08, you wrote:
> 	We have been running Bind9.3.1 with the usual great
> results and had a very strange thing happen to both our master
> and slave DNS's last night.

Mine happened a few weeks ago but only my slave was attacked!

> 	We must have recursion on in our environment, but we do
> not allow third-party recursion.

My recursion is off for external views!

> 	Last night, we suddenly began receiving reports of
> sporadic DNS performance and discovered that we were maxed out on
> recursive clients as in 1000/1000.  This normally only happens
> when we loose access to any root name servers but this time, all
> but 2 root DNS's were accessible.

Sounds like much the same!

> 	The only unusual messages in named.log were the "no more
> recursive clients" messages which poured out by the millions for
> about 3 hours.

> 	The security log never showed anything but the usual
> Microsoft hackfest of systems trying to update okstate.edu.
>
> 	We did detect packets from 2 addresses that were hitting
> both the platforms at about 1,000 packets per second, but they
> didn't show up in the logs as players in the mayhem.

In my case it was about 8 addresses

> 	After killing those two addresses in the firewall, I
> killed and restarted both servers and life returned to normal.

I did just the same except I managed to also added our local co.za servers!
Something to do with going a bit overboard!

> 	In the past when we had this condition due to a broken
> Internet connection, the problem resolved itself immediately when
> connectivity returned.  This time, something was keeping it going
> and we couldn't tell directly what was happening.

Never had any of our 'net connections go down for a long time so I've never 
seen this before!

> 	I did see one strange message during that time in
> named.log:
>
> 01-Aug-2006 23:18:17.924 dispatch 0x8cc7800: shutting down
> due to TCP receive error: 64.12.51.132#53: connection reset

Only errors I saw was about shutting down the service or something like that.


> 	There were only 4 of those out of several million lines
> of mostly recursive client complaints.
>
> 	We also log any time an outsider tries to query for
> another outsider.  There is normally a lot of that for some
> reason, but the mix of addresses is all over the map so it didn't
> look like one system was trying to generate lots of activity
> although it might have been internal to our network and we
> wouldn't have seen it.

I did reverse lookups the next morning on all the ip's I'd blackholed, found 
the one co.za root server and unblackholed that one. One or two others also 
needed unblackholeing as a reult of my over judicious blackholeing! The rest 
all seemed to be dynamic ip's on dsl type lines all over the world. There 
seemed to be no pattern at all. They just remain blackholed!

> 	We can routinely serve over a million queries per hour so
> query logging is normally off. Does this sound like anything that
> is familiar to anybody?  Thanks for any information.

Well that my bit fwiw!

Cheers
Ang

-- 
Angela Williams				Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here!	Bedfordview
awilliams at eoh.co.za			Gauteng South Africa

Smile!! Jesus Loves You!!

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################

More information about the bind-users mailing list