I'm being hit by a collection of scoundrels all using source port 53,
seeking 'x.kyuhhh.strangled.net/TXT/IN'. No, I am not authoritative
for that name. This happened on cardinal.lizella.net.
Attackers:
=========
50.19.102.31 :: ec2-50-19-102-31.compute-1.amazonaws.com.
50.19.106.0 :: ec2-50-19-106-0.compute-1.amazonaws.com.
66.228.54.207 :: li296-207.members.linode.com.
67.21.85.227 :: 227.85.21.67.in-addr.arpa not found: 2(SERVFAIL)
network:NetName:MICHAEL-STOWE-67.21.85.192
network:OrgName:RAVENOUS-NETWORKS
68.243.98.206 :: 68-243-98-206.pools.spcsdns.net.
108.118.122.235 :: 108-118-122-235.pools.spcsdns.net.
(NXDOMAIN, but owned by Sprint)
173.137.7.112 :: 173-137-7-112.pools.spcsdns.net.
174.151.36.3 :: 174-151-36-3.pools.spcsdns.net.
174.97.168.166 :: cpe-174-097-168-166.nc.res.rr.com.
174.97.171.72 :: cpe-174-097-171-072.nc.res.rr.com.
184.254.7.84 :: 184-254-7-84.pools.spcsdns.net.
(NXDOMAIN, but owned by Sprint)
184.73.197.248 :: ec2-184-73-197-248.compute-1.amazonaws.com.
Logs of the last one:
====================
May 24 01:13:45 cardinal named[1096]: client 184.73.197.248#53: query
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:14:15 cardinal last message repeated 956 times
May 24 01:15:15 cardinal last message repeated 1998 times
May 24 01:16:15 cardinal last message repeated 2886 times
May 24 01:17:15 cardinal last message repeated 3839 times
May 24 01:18:15 cardinal last message repeated 3872 times
May 24 01:19:15 cardinal last message repeated 3952 times
May 24 01:20:15 cardinal last message repeated 3981 times
May 24 01:21:10 cardinal last message repeated 3530 times
May 24 01:21:11 cardinal named[1096]: client 184.73.197.248#53: query
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:21:42 cardinal last message repeated 1973 times
May 24 01:22:43 cardinal last message repeated 3925 times
May 24 01:23:44 cardinal last message repeated 3849 times
May 24 01:24:45 cardinal last message repeated 3850 times
May 24 01:25:45 cardinal last message repeated 3857 times
May 24 01:26:24 cardinal last message repeated 2457 times
If you're keeping score at home, that was 44927 until I blocked it in
the firewall. Another 4695 hits on the firewall means it did almost
50K queries in approximately 13-15 minutes total.
All the attackers were doing similar things, but most were not so
easy to calculate the total. because at 2011-05-23 01:12 UTC there
were two of them hitting at the same time. And that also leads to an
interesting observation: when there were two hitting, there were
*exactly* two. One would stop, and another (which might have been
previously attacking) would take its place. This kept up until 01:39,
when I saw the activity and blocked the offending (spoofed?) IP
addresses in the firewall.
Above is all that I have seen so far on 2011-05-24, but there too the
timing is interesting: it leads me to believe I can expect a resumed
assault at 01:10-:15 UTC tonight. But since some of the attacking IP
addresses might already be blocked, it might not show in the log.
Questions:
=========
1. What is this? Is it targeted at me (my site) personally, or some
kind of worm/malware crawling the Internet?
2. Is it harming me, other than the waste of bandwidth and logging?
3. Is there anything that I can (or should) do with named to limit
or mitigate these attacks?
3a. Can named trigger an external action on receipt of a certain
query?
4. What can be done outside of named about this?
4a. fail2ban, I know about, but would rather not.
4b. Linux iptables -m recent connection limiting
Linux iptables "recent" match:
=============================
I know how to do this; in fact I have firewalls limiting both SSH and
SIP access using -m recent rules. What I am not so sure about: how
much is a "safe" limit? I think if I set a limit of maybe a hundred
queries in 10 seconds, I would stop this kind of attack without
affecting normal resolution.
In a related matter, as noted, this attack was all on source port 53.
It's not safe to block source port 53, is it? I suppose there are
lots of broken resolvers out there which are still using source port
53. But maybe my "recent" limitations should only apply to --sport 53
queries?
Here is what I did with -m recent for SIP:
http://www.spinics.net/lists/netfilter/msg49676.html
The approach for DNS, at least on the UDP side, will have to be
similar, because this whole attack would be in conntrack --ctstate
ESTABLISHED (after the initial refused query.)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
