FW: Preventing a particular type of nameserver abuse

Brett Cooper bctrainers at gmail.com
Wed Apr 14 00:49:08 UTC 2021 

Of the small amount of name servers I run, each and every name server 
has had persistent attacks (I guess) in the form of "(sl): query (cache) 
'sl/ANY/IN' denied". These attacks appear to be originating from 
legitimate ISP resolvers, but the majority of the attacks appear to be 
drones/malware of sorts. I am assuming the majority of these IP's are 
spoofed. These attacks appeared to begin in Dec 2020 / Jan 2021, and 
have persisted up to this writing. The worst of it was in Jan 2021 for 
me.
Prior to me crafting a firewall rule, log monitoring and triggers, and 
adding some loose rate limiting (The various *-per-second options), I 
would see well more than 2500 queries an hour for the sl query from 
copious amounts of IP's. It probably was much more than that, as it was 
pegging a VPS single vCPU that I have to 100% - bad on me for not 
hardening that particular virtual machine in the first place months ago. 
  The other name servers had similar attacks, but not to the same 
magnitude by a long shot.
Today, and so far, the VPS above that was originally taking in such a 
huge amount of sl queries, has temporarily blocked 78 unique IPv4 
addresses. Every query from each of the IP's has been in the form of:
Apr 13 22:08:55 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80 
(sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:08:55 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80 
(sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:08:56 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80 
(sl): query (cache) 'sl/ANY/IN' denied
[...]
Apr 13 22:44:02 ns02 named[9487]: client @0x7fc8740c7310 
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:44:02 ns02 named[9487]: client @0x7fc8740c7310 
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:44:04 ns02 named[9487]: client @0x7fc8740c7310 
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied

--Brett

------ Original Message ------
From: "Richard T.A. Neal" <richard at richardneal.com>
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Sent: Apr 13, 2021 17:42:28 PM
Subject: FW: Preventing a particular type of nameserver abuse

>>  In the particular case of the .sl denied queries, I don't think these are forged queries from the attack victim. Something else is going on here. We see queries from systems like these, almost exclusively consumer endpoints:
>
>[snipped]
>
>>  It seems unlikely that someone is trying to attack those specific endpoints. Unless the attack is *very* widely distributed and they are actually attacking the ISP infrastructure. But in that case, this seems to be a simultaneous attack on almost every major ISP, which I find unlikely.
>
>Yes, another individual & I were discussing this off-list today. We wonder if those queries are from malware on infected hosts that are trying to determine whether a given nameserver can be used in a distributed reflection attack? The source IP is not spoofed (because it wants to get the answer), so if it gets either "refused" or a timeout then it knows that nameserver can't be used in the reflection attack. But if it gets a response with data then it knows it *can* be used in the reflection attack.
>
>A lot of the "bad clients" that I block are also domestic IP addresses, and I've yet to come up with any other explanation so am always open to any plausible causes.
>
>Best,
>Richard.
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list