Really I appreciate sparing such long time to trace out the problem and sending 
such detail email.

 Is there any other security measure from the DNS level to control such 
attacks.  Instead of blocking IP which is either from my linux machine or from 
my network side.

Such  as, if someone is sending  ANY request , by default it should be denied 
when users requests  for it..  


Ejaz 

-----Original Message-----
From: S Carr [mailto:sjc...@gmail.com] 
Sent: Wednesday, July 27, 2016 4:19 PM
To: Ejaz <me...@cyberia.net.sa>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.

So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for 
cpsc.gov

No responses I can see are going from port 0, they are coming in on 53 and BIND 
is responding on a random high port

The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for 
reverse lookups and .99 shows that it is supposedly the system 
mail.electro.com.sa (though the forward lookup does not map to the same as the 
reverse).

It also looks like you are providing a recursive DNS service for these IP 
addresses, in frame 118047 you respond to the client with an NXDOMAIN response 
as the query they asked has a random "\r" on it. Are you meant to be providing 
recursive DNS for these clients? The random "\r" looks to me like something has 
been scripted (albeit poorly) to run against your systems.

As this is probably one of your customers have you tried contacting them to 
find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected by some 
malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide another layer 
of filtering and block the requests locally, or ask your network team to block 
those IPs, then wait for the customer to shout.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to