Looks like one of my name servers (CentOS 5) gets a lot of malicious queries. The cpu load is constantly about 3 %. I put on stricter limits on who is allowed recursive queries, but this does not affect the CPU load. I also updated bind.
I temporarily turned on querylog (command: rndc querylog), and noticed that I get over 200 queries like this per second:
Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied
Are there any ways to mitigate this, or do I just have to wait?
- Jussi
On 08/16/12 9:54 PM, Jussi Hirvi wrote:
Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied
Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied
Are there any ways to mitigate this, or do I just have to wait?
meh, if its coming from lots of random hosts, then fail2ban style techniques won't work. I assume this is an authoritative name server? does it have recursive queries disabled so it can only return results for the domain(s) its authoritative for ?
Am Thu, 16 Aug 2012 22:18:19 -0700 schrieb John R Pierce pierce@hogranch.com:
On 08/16/12 9:54 PM, Jussi Hirvi wrote:
Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) 'ripe.net/ANY/IN' denied
Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 78.40.35.212#53: query (cache) 'ripe.net/ANY/IN' denied Aug 17 07:41:38 mx2 named[6873]: client 207.207.3.126#53: query (cache) 'ripe.net/ANY/IN' denied
Are there any ways to mitigate this, or do I just have to wait?
meh, if its coming from lots of random hosts, then fail2ban style techniques won't work. I assume this is an authoritative name server? does it have recursive queries disabled so it can only return results for the domain(s) its authoritative for ?
It's a common "attack".
Just search google. I think, someone mentioned a firewall rule here a couple of weeks ago to block these types of queries.
On 17.8.2012 8.18, John R Pierce wrote:
meh, if its coming from lots of random hosts, then fail2ban style techniques won't work. I assume this is an authoritative name server? does it have recursive queries disabled so it can only return results for the domain(s) its authoritative for ?
Yes, it is authoritative. Recursive queries were open very widely. That may be why I started to get plenty of requests. But I think that 240 per second is not normal anymore, it must me malicious.
I believe my name server was used as a mediator only, and the real target (through recursive queries) was some other public nameserver.
This morning I restricted recursive queries to trusted networks only. The load dropped slowly to 20 % of what it was before.
- Jussi
From: Jussi Hirvi listmember@greenspot.fi
On 17.8.2012 8.18, John R Pierce wrote:
meh, if its coming from lots of random hosts, then fail2ban style techniques won't work. I assume this is an authoritative name server? does it have recursive queries disabled so it can only return results for the domain(s) its authoritative for ?
Yes, it is authoritative. Recursive queries were open very widely. That may be why I started to get plenty of requests. But I think that 240 per second is not normal anymore, it must me malicious.
I believe my name server was used as a mediator only, and the real target (through recursive queries) was some other public nameserver.
This morning I restricted recursive queries to trusted networks only. The load dropped slowly to 20 % of what it was before.
Maybe it is this: http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-...
JD
On 17.8.2012 15.04, John Doe wrote:
Maybe it is this: http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-...
Interesting idea. In that case the ip's in my logs would point to the targets of the attact. I checked a few of them, and they look more like hijacked victims, or ns query mediators like me. I don't see a common factor.
...icon.com (Ricoh, Japanese office machines) ...unum.com (employee insurances, I think) sexy-lingerie.uk.com mnet04-40.austin.datafoundry.com ...netmagicians.com ns1.p10.dynect.net www.macsales.com 66-226-73-103.dedicated.codero.net ns.rackspace.com ns1.clt.peak-10.com (their webpage: "We're rock solid"!)
- Jussi
Jussi Hirvi wrote:
On 17.8.2012 15.04, John Doe wrote:
Maybe it is this: http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-...
Interesting idea. In that case the ip's in my logs would point to the targets of the attact. I checked a few of them, and they look more like hijacked victims, or ns query mediators like me. I don't see a common factor.
<snip> Thanks to John Doe for the link - very interesting read.
mark
-
John Doe -
John R Pierce -
Jussi Hirvi -
m.roth@5-cent.us -
Rainer Duffner