Bind dns amplification attack

Nyamkhand Buluukhuu nyamkhand at mobinet.mn
Wed Mar 29 08:20:39 UTC 2023 

Hello guys,

I see, my server is authoritative for some internal domain, so I will try Allow-query. Thank you.
But the attack is from my allowed IP addresses so I can't block the entire zone.

I tried NXDOMAINS-PER-SECOND but server is not giving nxdomain response but servfail.
How about ERRORS-PER-SECOND: sets the limit of error (REFUSED,FORMERR or SERVFAIL)?

BR, Nyamka


________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Matus UHLAR - fantomas <uhlar at fantomas.sk>
Sent: Wednesday, March 29, 2023 3:24 PM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: Bind dns amplification attack

>On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
>>Yes, this is one of the problem "authoritative zones for local use".

On 28.03.23 12:18, Grant Taylor via bind-users wrote:
>Authorizing the /zone/ for local use wasn't the problem.  The problem
>was that the world could get some of that zone's data from the query
>cache even if they couldn't query the zone directly.

when was this?

querying cache is by default allowed for the same clients as recursion,
perhaps unless it was old BIND version.


>>The default root "hint" zone is only available for those who have
>>recursion available.

>I feel like the "root hint zone" is considerably different than "root
>zone" proper.  The fact that they have different zone types seems to
>support that.

yes. The content of hint zone is abused to generate aplification attack:

Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied

If you have local root zone, response is provided by default, it can be
huge:

% dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk
;; Query time: 0 msec
;; SERVER: 195.80.174.185#53(195.80.174.185)
;; WHEN: Wed Mar 29 09:23:27 CEST 2023
;; MSG SIZE  rcvd: 2904


but default "type hint" root is treated as cache and REFUSED is sent.


--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2F&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ptkbassm4yqO9YHpwHvKL7XC%2B0X9l9tRmKyWcdsw6PM%3D&reserved=0
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
--
Visit https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D&reserved=0 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=abpXRElm5blZlXIcdRrRebQONm1d51pxuEcHCx4l2Po%3D&reserved=0 for more information.


bind-users mailing list
bind-users at lists.isc.org
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=05%7C01%7Cnyamkhand%40mobinet.mn%7Ce2277362d75540e64c5a08db3026c8ad%7Cca63e6528b2e4e0e8b691fd46774bdeb%7C1%7C0%7C638156715398463210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pGpLOzFdeNgqUHxCwPuiKUfPFTffOfcqcm6HQQEcuYg%3D&reserved=0
????????

?????? ????? ?????? ?? (????????????? ????) ?????? ?????? ?????????? ?????????, ?????? ???? ??? ????? ???????? ???????????? ?????. ?? ????? ??????? ??????????? ???????? ?? ??????? ?????????????, ????????? ???????? ?????? ?????? ??????????? ???????????? ???? ?????????? ? ??????? ????????????? ??? ?? ????????????? ??. ????? ?? ?? ????? ??????? ??????? ???????? ?????? ????? ??? ??? ?????? ????? ??????? ????????? ????? ????? ?????? ?????? ?????? ????????, ?????????? ????? ????? ????? ??????? ?????? ????????? ??? ????? ?????? ???? ??????? ???? ??. ???????? ?????? ???????? ??????????? ?????????? ?????? ????????? ?????????, ??????????, ?????? ?????? ????? ?? ??????????? ????????? ??????? ????? ?????? ????, ?? ?????? ????? ????? ??? ?????? ???????? ??.

Disclaimer

This email (including any attachments) is intended only to be read and used by the addressee. It may contain confidential or legally privileged information, which is not waived if it is mistakenly delivered to you. If you are not the intended recipient, please immediately notify the sender by return email and delete both messages from your system; any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230329/dea1aa49/attachment-0001.htm>

More information about the bind-users mailing list