DNS-Format-Eroor
Ben McGinnes
ben at adversary.org
Tue Dec 19 13:23:49 UTC 2017
On Tue, Dec 19, 2017 at 09:28:28AM +0300, Mohammed Ejaz wrote:
>
> No this IP 212.76.76.18 doesn’t belongs to us and even not in a
> trusted list of our DNS. After looking at my logs I noticed this IP
> asked for this domain mumbai-m.site to which our name server denied
> as shown in the below logs. Whereas our NCSA claiming that massive
> malicious requests from our dns. Just I want to understand how is
> this possible massive attack towards the internet for deny requests.
Those logs also show requests from another address in your own
netblocks that's been assigned to a customer of Cyberia in Jeddah.
That's in 212.119.73.32/27.
Sten's explanation was almost certainly right with regards to the
traffic seen or analysed by SA's national CERT. The traffic appearing
to emanate from your DNS servers will be the result of the botnet or
whatever it is making connections back to it's command and control
host and spoofing the source addresses of the requests. The DNS
resolvers can't tell the difference and reply to all the IPs a request
appears to come from.
Obviously you can't do anything about 212.76.76.18/32 directly, but if
it's taken up this much time already then if I were in your position
I'd just null route it at the border of Cyberia's network. Maybe
notify Sahara Net that you've had to do it and forward them the same
info SA's CERT gave you regarding their IP address.
Meanwhile, one of your own customers (the one assigned that /27) need
to hire an IT security consultant to clean their network.
I'm assuming that log sample was just a quick cut and paste and
there's actually a lot more. Search all the resolver logs for
addresses in your IP space requesting that hostname and send all those
customers a "your computer/network on IP $FOO has been compromised,
you have X days to fix it or your connection will be suspended."
Just warn your support staff before you do that because they're the
ones who will receive the angry calls from confused accountants.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171220/5e211ea8/attachment.bin>
More information about the bind-users
mailing list