On Jun 10, 2012, at 07:10, Jim Reid wrote: > My name server has been getting hammered with queries for ihren.org -- one of > the zones it serves -- since around 00:00 GMT today. [The attack may have > started earlier and I just didn't notice it.] The box is getting ~400 qps for > this name. The queries come from the same IP address, just repeating over and > over. The source port number changes after 25 queries or so. As soon as I get > BIND to blackhole the offending prefix, another host pops up to take its > place: repeated queries at with a broken UDP checksum from a single IP > address at a time. > > Most of these IP addresses belong to N. American cable companies. I've not > yet been in touch with their abuse PoCs and a ticket's been opened with my > ISP. > > There's clearly a botnet at work. Buy why target one of Johan's personal > domain names and/or my server? The box doesn't host anything controversial or > important like a TLD: just my mail service and DNS for friends and family. > Which is of course very important to me. :-) > > Is it worth trying to find the ultimate source of this attack? If so, how? Is > anyone else here seeing similar behaviour? > > At present, the attack is an irritant. I get a 300MB query log file in about > an hour. The log files have been filled and rotated so quickly, I can't tell > when the attack actually started. > > In case anyone cares, here's a traffic summary for what's been logged for > today's activity: timestamp (UTC + 1H), source IP address and number of > queries.
What type of queries? We have something similar happening with one of our client domains, and they are all ANY queries from a wide variety of IP ranges, mostly from China. Blackhole one range, and it swaps over. https://isc.sans.edu/diary/DNS+ANY+Request+Cannon+-+Need+More+Packets/13261 The iptables rules mentioned in the first comment work well for us, so far, and it works better than the log parsing we did until now. The odd thing is that it's just the one domain, the same type of query, on the same (secondary) server. Over and over. Also, and I've seen this mentioned elsewhere as well; they kinda stick to certain times of the day, like someone is waking up, and starting another batch of queries. This is what it looked like with just the automatic IP blacklist, number of ANY queries per hour; 20120601-0000 : 44 20120601-0100 : 53 20120601-0200 : 8933 20120601-0300 : 608 20120601-0400 : 1020 20120601-0500 : 813 20120601-0600 : 1364 20120601-0700 : 1176 20120601-0800 : 1568 20120601-0900 : 1247 20120601-1000 : 1804 20120601-1100 : 553 20120601-1200 : 155 20120601-1300 : 533 20120601-1400 : 459 20120601-1500 : 64 20120601-1600 : 60 20120601-1700 : 51 20120601-1800 : 73 20120601-1900 : 53 20120601-2000 : 29 20120601-2100 : 34 20120601-2200 : 24 20120601-2300 : 45 20120602-0000 : 39 20120602-0100 : 33 20120602-0200 : 33 20120602-0300 : 35 20120602-0400 : 553 20120602-0500 : 595 20120602-0600 : 598 20120602-0700 : 2369 20120602-0800 : 3619 20120602-0900 : 1807 20120602-1000 : 608 20120602-1100 : 703 20120602-1200 : 142 20120602-1300 : 2694 20120602-1400 : 41 20120602-1500 : 44 20120602-1600 : 933 20120602-1700 : 28 20120602-1800 : 36 20120602-1900 : 33 20120602-2000 : 31 20120602-2100 : 23 20120602-2200 : 26 20120602-2300 : 34 20120603-0000 : 29 20120603-0100 : 34 20120603-0200 : 30 20120603-0300 : 22 20120603-0400 : 29 20120603-0500 : 1405 20120603-0600 : 613 20120603-0700 : 306 20120603-0800 : 593 20120603-0900 : 1124 20120603-1000 : 578 20120603-1100 : 103 20120603-1200 : 687 20120603-1300 : 688 20120603-1400 : 584 20120603-1500 : 1144 20120603-1600 : 637 20120603-1700 : 662 20120603-1800 : 34 20120603-1900 : 38 20120603-2000 : 33 20120603-2100 : 26 20120603-2200 : 32 20120603-2300 : 39 And this is with the iptables based rate limiter in place; 20120608-0000 : 32 20120608-0100 : 29 20120608-0200 : 21 20120608-0300 : 19 20120608-0400 : 19 20120608-0500 : 14 20120608-0600 : 12 20120608-0700 : 41 20120608-0800 : 37 20120608-0900 : 35 20120608-1000 : 60 20120608-1100 : 139 20120608-1200 : 97 20120608-1300 : 57 20120608-1400 : 74 20120608-1500 : 88 20120608-1600 : 35 20120608-1700 : 39 20120608-1800 : 36 20120608-1900 : 29 20120608-2000 : 27 20120608-2100 : 24 20120608-2200 : 20 20120608-2300 : 17 Times are CET. If yours is completely different and I am missing something, apologies :-) Hopefully the data will be useful to some, it's taken us quite a while to figure out as a small operator. Rgds, Jona _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
