Comments on: More annoying DNS queries http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/ ramblings of a caffeinated discombobulated mind Mon, 08 Mar 2010 01:14:01 +0000 http://wordpress.org/?v=abc hourly 1 By: Patrik Rak http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9471 Patrik Rak Fri, 23 Jan 2009 15:11:36 +0000 http://www.stupendous.net/?p=271#comment-9471 <p>Here is my rule to stop the ./NS/IN queries:</p> <p><code>iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \ "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"</code></p> <p>Specifically, it tests that the packet contains one query, the query is for empty name, NS type and IN class.</p> <p>Hope it helps.</p> <p>Patrik</p> Here is my rule to stop the ./NS/IN queries:

iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"

Specifically, it tests that the packet contains one query, the query is for empty name, NS type and IN class.

Hope it helps.

Patrik

]]> By: chrome http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9470 chrome Fri, 23 Jan 2009 08:17:29 +0000 http://www.stupendous.net/?p=271#comment-9470 <p>yep, we know Adam. Thanks. Configuring the DNS to reject recursive queries isn't the problem here, rather it is the fact that we are still replying to your spoofed addresses at all.</p> <p>It's my opinion that bind needs an option for dropping recursive queries completely.</p> yep, we know Adam. Thanks. Configuring the DNS to reject recursive queries isn’t the problem here, rather it is the fact that we are still replying to your spoofed addresses at all.

It’s my opinion that bind needs an option for dropping recursive queries completely.

]]> By: Adam Jacob Muller http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9469 Adam Jacob Muller Thu, 22 Jan 2009 18:05:59 +0000 http://www.stupendous.net/?p=271#comment-9469 <p>Hi, I work at ISPrime in the network abuse / security department, unfortunately we are not actually sending these queries to you (if we were, we would be able to fix things very easily). CYMRU provides an excellent well-commented bind template which can help you with reconfiguring your dns servers to mitigate this: http://www.cymru.com/Documents/secure-bind-template.html If you have any other questions i'm personally reachable at adam@isprime.com, and our abuse department is 24/7 at abuse@isprime.com.</p> Hi,
I work at ISPrime in the network abuse / security department, unfortunately we are not actually sending these queries to you (if we were, we would be able to fix things very easily).
CYMRU provides an excellent well-commented bind template which can help you with reconfiguring your dns servers to mitigate this: http://www.cymru.com/Documents/secure-bind-template.html
If you have any other questions i’m personally reachable at adam@isprime.com, and our abuse department is 24/7 at abuse@isprime.com.

]]> By: Tim http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9468 Tim Thu, 22 Jan 2009 15:29:42 +0000 http://www.stupendous.net/?p=271#comment-9468 <p>Their response:</p> <p>Begin forwarded message:</p> <p>From: ISPrime Support <a href="mailto:support@isprime.com" rel="nofollow">support@isprime.com</a> Date: January 22, 2009 9:06:34 AM CST To: tim@timsnet.com Cc: support@isprime.com Subject: Re: ISPrime being blackholed by DNS server due to DDOS from ISPRIME:</p> <p>Hello,</p> <p>These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.</p> <p>If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.</p> <p>If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.</p> <p>An ACL similar to: access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53 access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53 Is what you want.</p> <p>I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to help you configure your nameservers so that you do not participate in this attack: http://www.cymru.com/Documents/secure-bind-template.html.</p> <p>Thanks for your help in mitigating this attack against us.</p> <p>Please let me know if I can be of further assistance.</p> <p>ISPrime Support support@isprime.com ICQ: 136633378</p> Their response:

Begin forwarded message:

From: ISPrime Support support@isprime.com
Date: January 22, 2009 9:06:34 AM CST
To: tim@timsnet.com
Cc: support@isprime.com
Subject: Re: ISPrime being blackholed by DNS server due to DDOS from ISPRIME:

Hello,

These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end.

If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect.

If you are receiving queries from 66.230.128.15/66.230.160.1 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests.

An ACL similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you want.

I would also suggest taking a look at the excellent CYMRU secure bind template (assuming you are running bind), to help you configure your nameservers so that you do not participate in this attack: http://www.cymru.com/Documents/secure-bind-template.html.

Thanks for your help in mitigating this attack against us.

Please let me know if I can be of further assistance.

ISPrime Support
support@isprime.com
ICQ: 136633378

]]> By: chrome http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9467 chrome Thu, 22 Jan 2009 12:12:11 +0000 http://www.stupendous.net/?p=271#comment-9467 <p>The other solution is to add a blackhole to your Bind9 config; but this is just temporary. They've been doing this for weeks, using different IPs as they see fit.</p> The other solution is to add a blackhole to your Bind9 config; but this is just temporary. They’ve been doing this for weeks, using different IPs as they see fit.

]]> By: Patrick http://www.stupendous.net/archives/2009/01/22/more-annoying-dns-queries/comment-page-1/#comment-9463 Patrick Thu, 22 Jan 2009 11:03:12 +0000 http://www.stupendous.net/?p=271#comment-9463 <p>I'm affected too. Since a couple of hours my logs are flooded by this. I added two simple iptables rules to get rid of it.</p> <p>iptables -A INPUT -p udp --dport 53 -s 66.230.128.15 -j DROP iptables -A INPUT -p udp --dport 53 -s 66.230.160.1 -j DROP</p> I’m affected too. Since a couple of hours my logs are flooded by this. I added two simple iptables rules to get rid of it.

iptables -A INPUT -p udp –dport 53 -s 66.230.128.15 -j DROP
iptables -A INPUT -p udp –dport 53 -s 66.230.160.1 -j DROP

]]>