A hammer for my DNS

I have exactly the same problem on my server - I only noticed it after installing APF. I'll contact you!

I'm having the same problem on my server. AFAIK this is a (tried) DDoS attack.

On my server, these requests are denied anyway and so don't do any harm (except for the log spam).

I've googled a bit and found those pages:

http://www.linuxquestions.org/questions/linux-security-4/dns-poisoning-attempts-i-think-629574/
http://www.uno-code.com/?q=node/160
http://isc.sans.org/diary.html?storyid=5713

I've got exactly the same log events in my syslog:

Feb 19 17:12:23 asdlkf named[12647]: client 62.109.4.89#28072: query (cache) './NS/IN' denied
Feb 19 17:12:23 asdlkf named[12647]: client 62.109.4.89#63212: query (cache) './NS/IN' denied
Feb 19 17:12:24 asdlkf named[12647]: client 62.109.4.89#41805: query (cache) './NS/IN' denied
Feb 19 17:12:26 asdlkf named[12647]: client 62.109.4.89#39283: query (cache) './NS/IN' denied


email me (asdlkf@asdlkf.net) if you find anything on this.

-- Chris

You've got to be kidding me...
This is an automated botnet.

I checked the logs, issued a blocking IPTABLES command, then checked the logs again.
3 messages were duplicated, 6 NEW attack lines and (1 unrelated php error message) appeared.

You can see that there is a 47 second delay between the last 62.*.*.* entry and the first 195 entry.



Feb 19 17:36:47 # cat /var/log/syslog | tail -n 10
Feb 19 17:36:35 asdlkf named[12647]: client 62.109.4.89#53520: query (cache) './NS/IN' denied
Feb 19 17:36:36 asdlkf named[12647]: client 62.109.4.89#59695: query (cache) './NS/IN' denied
Feb 19 17:36:37 asdlkf named[12647]: client 62.109.4.89#23130: query (cache) './NS/IN' denied
Feb 19 17:36:40 asdlkf named[12647]: client 62.109.4.89#48491: query (cache) './NS/IN' denied
Feb 19 17:36:40 asdlkf named[12647]: client 62.109.4.89#10510: query (cache) './NS/IN' denied
Feb 19 17:36:41 asdlkf named[12647]: client 62.109.4.89#20783: query (cache) './NS/IN' denied
Feb 19 17:36:43 asdlkf named[12647]: client 62.109.4.89#1683: query (cache) './NS/IN' denied
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#36861: query (cache) './NS/IN' denied
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#46596: query (cache) './NS/IN' denied
Feb 19 17:36:47 asdlkf named[12647]: client 62.109.4.89#16273: query (cache) './NS/IN' denied
Feb 19 17:36:48 # iptables -A INPUT --source 62.109.4.89 -p UDP -j DROP
Feb 19 17:42:48 # cat /var/log/syslog | tail -n 10
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#36861: query (cache) './NS/IN' denied
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#46596: query (cache) './NS/IN' denied
Feb 19 17:36:47 asdlkf named[12647]: client 62.109.4.89#16273: query (cache) './NS/IN' denied
Feb 19 17:37:34 asdlkf named[12647]: client 195.68.176.4#27299: query (cache) './NS/IN' denied
Feb 19 17:38:36 asdlkf named[12647]: client 195.68.176.4#31869: query (cache) './NS/IN' denied
Feb 19 17:39:01 <<<<<< UNRELATED SYSLOG MESSAGE REMOVED >>>>>
Feb 19 17:39:39 asdlkf named[12647]: client 195.68.176.4#22828: query (cache) './NS/IN' denied
Feb 19 17:40:41 asdlkf named[12647]: client 195.68.176.4#40935: query (cache) './NS/IN' denied
Feb 19 17:41:44 asdlkf named[12647]: client 195.68.176.4#17454: query (cache) './NS/IN' denied
Feb 19 17:42:47 asdlkf named[12647]: client 195.68.176.4#3743: query (cache) './NS/IN' denied

Also,
after blocking 62, it tried exactly 10 times and was denied 10 times by iptables.
The blocks were once every 5 seconds (45 seconds total). 2 seconds later, the first 195 attack started.

After 62's 10th failed attempt, it has not re-attempted in the last 10 minutes.

I then blocked 195 using ip tables.


49 seconds later, a 3rd host started querying me. (195 failed 10 times aswell, failing every 5 seconds)

ugh.

Well, after blocking:

62.109.4.89, 195.68.176.4, and 72.138.16.215 inbound, protocol UDP, my logs have stopped filling.

So far so good.

i have the same problem with IP adress 62.109.4.89. I activated IPTABLE and sh script to block it.
but do you know how stop attack or blaklist this IP ?

IMO, it's very weak attack - only from one IP at time... Just put little script in cron that will collect info from log and add block records to IPTABLES or PF (FreeBSD) for autoban. PF also able to detect multiply contection attempts and block them on its own...

This help me to stop botnet DDoS attack on my server. Of course all this will work only with small DDoS attacks. If attack eat your server bandwidth nothing will help you except ISP.

Pavel, this is not *from* one IP but *to* one IP. If I understand it correctly, the source address is spoofed. So all replies will go to that spoofed address. Since there is only one reply per second, it does not look like a DoS attack. However if replies come from 1000000 computers, than that IP will be quickly down.

Chris, search for the "dnsexploit.txt" on the web. It is a nice script that will check system lock and automatically block these requests. I found it very useful.

Interesting... Seems like these things are stopped now.

I'm now blocking all requests from '.' using a hex-string match:

iptables -I INPUT -p udp --dport 53 -m string --hex-string "|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|" --algo bm --from 30 --to 45 -j DROP

Those things did not stop and still continue.

I use this iptables rule in order to get rid of them:
iptables -I INPUT -s 62.109.4.89 -j DROP -m comment --comment "DNS flooder"

(I don't care about the protocol they attempt to use, just want to get rid of them at all)

Tobias: I've tested your rule and added it together with the rule I posted, your rule having priority over the other, and it seems it does not help at all (even not using TCP instead of UDP)

Exactly the same problem here with my DNS server too, with the exact IP address. I am not sure whether this is because there isn't an answer and the DNS client doesn't know how to react. I'm going to have to look into it.

This is likely to be an attempt to run DNS exploit. I do not think this is DOS.