Which will just make the attacks evolve. It's pretty easy
to design a amplifing DNS attack which is almost indetectable
unless you know which addresses are being targeted. This
one is highly visible in the logs.
A much more productive task would be to trace back the
offending traffic and to put into place policies which
require BCP 38 deployment by those you connect to.
Mark
Mark Andrews wrote:
Quoting John Martinez <jmartinez@zero11.com>:
Are we still seeing DNS DDoS attack?
Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
I run a small personal nameserver and even I am seeing requests for that address 64.57.246.146 at ~1/sec.
How many people have upgraded to the latest version of Bind 9? Reason
I ask is that when I do my nightly port scan of my server, I no longer see named listening to udp on a random high order port (for replies I believe?). Almost the next day, I started hearing about/seeing these DNS attacks.
Previous nmap scan showed:
53/tcp open domain
53/udp open|filtered domain
33591/udp open|filtered unknown
Now nmap shows:
53/tcp open domain
53/udp open|filtered domain
The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
The port was bound at startup time and did not change as long as named was still running.
I still see a few new ones each day, here is my current bind acl for
blocking them:
acl blacknet {
69.50.142.11/32;
66.230.160.1/32;
66.230.128.15/32;
76.9.16.171/32;
63.217.28.226/32;
206.71.158.30/32;
64.57.246.146/32;
67.192.144.0/32;
};
These have all been seen in the last few days, verified by hand.
DZ
I'm checking just with a mix of tcpdump/pcap, bind logs and p0f. A bit
overboard, but logging is fun.
I haven't checked any dark hosts to see whether the attack repeatedly
sends queries to IPs which have never given an answer or indication of
any kind of life. Your monitoring will probably determine this so let
us know what behavior you find.
DZ
At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98.
At 12:09:36 another new address 64.57.246.123
At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like:
"pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it was back to
just ask for the .NS records again.
You all may wish to check your logs for 202.108.12.112, it could be a
new target; although I only saw two requests from it.
Hi
At 12:07:16 local time here in sweden, I saw a new address 70.86.80.98.
At 12:09:36 another new address 64.57.246.123
At 12:20:10 the address 70.86.80.98 started to ask for funny domain name like:
"pjphcdaaaafwu0000dgaaabaaacboinf". This ended at 12:55:01 when it was back to
just ask for the .NS records again.
Same here - times different, though, in that it appeared at 1120 UTC and
disappeared at 1159 UTC. There were 194 entries.
Every query was the same format - a 32-byte lower case alphanumeric
string, differing at the following positions marked with a period:
......aaaafw.0000d.aaabaaa......
I expect that others will have seen similar patterns with differing
fixed strings. I'm also starting to wonder if this is something to with
the downadup/conficker worm, or another botnet.
Graeme