Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   DNS DoS attack (http://www.linux-archive.org/centos/694846-dns-dos-attack.html)

Jussi Hirvi 08-17-2012 04:54 AM
DNS DoS attack
 
Looks like one of my name servers (CentOS 5) gets a lot of malicious
queries. The cpu load is constantly about 3 %. I put on stricter limits
on who is allowed recursive queries, but this does not affect the CPU
load. I also updated bind.

I temporarily turned on querylog (command: rndc querylog), and noticed
that I get over 200 queries like this per second:

> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied
> Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied
> Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied
> Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied

Are there any ways to mitigate this, or do I just have to wait?

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John R Pierce 08-17-2012 05:18 AM
DNS DoS attack
 
On 08/16/12 9:54 PM, Jussi Hirvi wrote:
>> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied
>> >Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied
>> >Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied
>> >Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied
> Are there any ways to mitigate this, or do I just have to wait?


meh, if its coming from lots of random hosts, then fail2ban style
techniques won't work. I assume this is an authoritative name server?
does it have recursive queries disabled so it can only return results
for the domain(s) its authoritative for ?



--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Rainer Duffner 08-17-2012 07:45 AM
DNS DoS attack
 
Am Thu, 16 Aug 2012 22:18:19 -0700
schrieb John R Pierce <pierce@hogranch.com>:

> On 08/16/12 9:54 PM, Jussi Hirvi wrote:
> >> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query
> >> (cache) 'ripe.net/ANY/IN' denied
> >> >Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query
> >> >(cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]:
> >> >client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied
> >> >Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query
> >> >(cache) 'ripe.net/ANY/IN' denied
> > Are there any ways to mitigate this, or do I just have to wait?
>
>
> meh, if its coming from lots of random hosts, then fail2ban style
> techniques won't work. I assume this is an authoritative name
> server? does it have recursive queries disabled so it can only return
> results for the domain(s) its authoritative for ?



It's a common "attack".

Just search google.
I think, someone mentioned a firewall rule here a couple of weeks ago
to block these types of queries.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jussi Hirvi 08-17-2012 11:37 AM
DNS DoS attack
 
On 17.8.2012 8.18, John R Pierce wrote:
> meh, if its coming from lots of random hosts, then fail2ban style
> techniques won't work. I assume this is an authoritative name server?
> does it have recursive queries disabled so it can only return results
> for the domain(s) its authoritative for ?

Yes, it is authoritative. Recursive queries were open very widely. That
may be why I started to get plenty of requests. But I think that 240 per
second is not normal anymore, it must me malicious.

I believe my name server was used as a mediator only, and the real
target (through recursive queries) was some other public nameserver.

This morning I restricted recursive queries to trusted networks only.
The load dropped slowly to 20 % of what it was before.

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John Doe 08-17-2012 12:04 PM
DNS DoS attack
 
From: Jussi Hirvi <listmember@greenspot.fi>

> On 17.8.2012 8.18, John R Pierce wrote:
>> meh, if its coming from lots of random hosts, then fail2ban style
>> techniques won't work.* I assume this is an authoritative name server?
>> does it have recursive queries disabled so it can only return results
>> for the domain(s) its authoritative for ?
>
> Yes, it is authoritative. Recursive queries were open very widely. That
> may be why I started to get plenty of requests. But I think that 240 per
> second is not normal anymore, it must me malicious.
>
> I believe my name server was used as a mediator only, and the real
> target (through recursive queries) was some other public nameserver.
>
> This morning I restricted recursive queries to trusted networks only.
> The load dropped slowly to 20 % of what it was before.

Maybe it is this:
http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/

JD
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jussi Hirvi 08-17-2012 12:40 PM
DNS DoS attack
 
On 17.8.2012 15.04, John Doe wrote:
> Maybe it is this:
> http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/

Interesting idea. In that case the ip's in my logs would point to the
targets of the attact. I checked a few of them, and they look more like
hijacked victims, or ns query mediators like me. I don't see a common
factor.

...icon.com (Ricoh, Japanese office machines)
...unum.com (employee insurances, I think)
sexy-lingerie.uk.com
mnet04-40.austin.datafoundry.com
...netmagicians.com
ns1.p10.dynect.net
www.macsales.com
66-226-73-103.dedicated.codero.net
ns.rackspace.com
ns1.clt.peak-10.com (their webpage: "We're rock solid"!)

- Jussi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

08-17-2012 01:50 PM
DNS DoS attack
 
Jussi Hirvi wrote:
> On 17.8.2012 15.04, John Doe wrote:
>> Maybe it is this:
>> http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/
>
> Interesting idea. In that case the ip's in my logs would point to the
> targets of the attact. I checked a few of them, and they look more like
> hijacked victims, or ns query mediators like me. I don't see a common
> factor.
<snip>
Thanks to John Doe for the link - very interesting read.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 03:13 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.