For the last couple of weeks, I’ve been plagued by ./NS/IN recursive queries from spoofed IP addresses (owned by ISPrime) filling the logs. These queries are being used to DDoS the IPs by requesting the ‘.’ record to be sent back to the target addresses. For example:
Jan 24 04:52:07 mars named[1478]: client 63.217.28.226#2217: query (cache) './NS/IN' denied
Jan 24 04:52:07 mars named[1478]: client 63.217.28.226#27214: query (cache) './NS/IN' denied
Jan 24 04:52:08 mars named[1478]: client 63.217.28.226#62061: query (cache) './NS/IN' denied
Jan 24 04:52:10 mars named[1478]: client 63.217.28.226#46451: query (cache) './NS/IN' denied
Jan 24 04:52:11 mars named[1478]: client 63.217.28.226#28836: query (cache) './NS/IN' denied
Jan 24 04:52:11 mars named[1478]: client 63.217.28.226#39691: query (cache) './NS/IN' denied
Jan 24 04:52:12 mars named[1478]: client 63.217.28.226#5467: query (cache) './NS/IN' denied
It should be noted the ISPrime is not responsible for this traffic in any way; they are simply the target of a DDoS. The intent of these ./NS/IN queries is to generate replies containing the entire root hints which amplifies the amount of data that ISPrime would receive. Most people configure their Authoritative DNS to refuse recursive queries however, so the worst that happens is you see the above log messages and you reply with a 17byte packet.
However, I find that unacceptable. I don’t want to be contributing in any way to this DDoS, so I have been searching for another way.
I have tested Patrik Rak’s solution below:
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
This works well.
Authoritative names still work:
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63309
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.stupendous.net. IN A
;; ANSWER SECTION:
www.stupendous.net. 300 IN CNAME mars.stupendous.net.
mars.stupendous.net. 300 IN A 202.60.77.116
;; AUTHORITY SECTION:
stupendous.net. 300 IN NS muu3.cute.net.
stupendous.net. 300 IN NS mars.stupendous.net.
stupendous.net. 300 IN NS muu4.cute.net.
;; Query time: 58 msec
;; SERVER: 202.60.77.116#53(202.60.77.116)
;; WHEN: Sat Jan 24 04:53:32 2009
;; MSG SIZE rcvd: 128
Recursive queries for various names still result in a REFUSED response:
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2524
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
;; Query time: 91 msec
;; SERVER: 202.60.77.116#53(202.60.77.116)
;; WHEN: Sat Jan 24 04:53:38 2009
;; MSG SIZE rcvd: 32
But queries against ./IN/NS now get dropped on the floor:
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
And we now have blessed silence in the logs. Thanks Patrik!
Yes, this breaks the DNS spec somewhat. But screw it. I don’t appreciate being used, even in a minor way, as a DDoS reflector. Sure the packet was only 17 bytes, but these packets add up.
I hope this helps people wanting a fix that works a little better than adding blackholes to your BIND config.
OK, so I think, “Great, I’ll just add the iptables rule and have blessed silence in the logs!”
Not so fast, “iptables v1.3.6: Couldn’t load match `u32′:/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory.”
Grrrr. OK, gonna have to do some work. What is u32, hmmm aahhhh does byte comparison on IP headers. Brilliant! OK, now how do I get it….Doh! Gotta patch the kernel and recompile! From a ease of maintenance and repository management perspective, I don’t want to build a custom kernel.
Now what?!? My logs are filling with this crap. I guess I can just purge the logs, but would rather drop the DNS requests than handle them after the fact.
I’m running ubuntu Gutsy. How did you get u32 working?
Yes, maybe cool, maybe it’s work… Same problem to me … iptables v1.3.6: Couldn’t load match … bla bla bla …
Other idea?
Debian lenny packages it with the kernel package:
You might have to build a custom kernel, or alternatively, build the kernel module separately.
modprobe xt_u32
should load it.
When I paste the iptables command you have, I get:
iptables: Invalid argument
and in dmesg:
ip_tables: u32 match: invalid size 1984 != 2028
This is on a 2.6.23 debian machine. Any ideas?
Thanks for posting this.. been getting hammered with..just had re compile my kenrel with the u32 support! thnx!
Hi and thank you for this very usefull snippet :)
Since about one day now I’m using it, but I’ve noticed that my DNS server is now beeing flood by request for my reverse DNS (on wich I do not have control, that’s why i’ve noticed it).
It started just right after I started using the iptables snippet above.
Does anybody else noticed something like that on his server ?
Not here. May be something else going on? Run a packet capture?
Thanks so much. I don’t want to contribute either and I’m not any longer