Re: [CentOS] DNS DoS attack

2012-08-17 Thread m . roth
Jussi Hirvi wrote: > On 17.8.2012 15.04, John Doe wrote: >> Maybe it is this: >> http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/ > > Interesting idea. In that case the ip's in my logs would point to the > targets of the attact. I checked a few of them, and they l

Re: [CentOS] DNS DoS attack

2012-08-17 Thread Jussi Hirvi
On 17.8.2012 15.04, John Doe wrote: > Maybe it is this: > http://arstechnica.com/business/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon/ Interesting idea. In that case the ip's in my logs would point to the targets of the attact. I checked a few of them, and they look more like hijacked vic

Re: [CentOS] DNS DoS attack

2012-08-17 Thread John Doe
From: Jussi Hirvi > On 17.8.2012 8.18, John R Pierce wrote: >> meh, if its coming from lots of random hosts, then fail2ban style >> techniques won't work.  I assume this is an authoritative name server? >> does it have recursive queries disabled so it can only return results >> for the domain

Re: [CentOS] DNS DoS attack

2012-08-17 Thread Jussi Hirvi
On 17.8.2012 8.18, John R Pierce wrote: > meh, if its coming from lots of random hosts, then fail2ban style > techniques won't work. I assume this is an authoritative name server? > does it have recursive queries disabled so it can only return results > for the domain(s) its authoritative for ? Y

Re: [CentOS] DNS DoS attack

2012-08-17 Thread Rainer Duffner
Am Thu, 16 Aug 2012 22:18:19 -0700 schrieb John R Pierce : > On 08/16/12 9:54 PM, Jussi Hirvi wrote: > >> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query > >> (cache) 'ripe.net/ANY/IN' denied > >> >Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query > >> >(cache) 'ripe.n

Re: [CentOS] DNS DoS attack

2012-08-16 Thread John R Pierce
On 08/16/12 9:54 PM, Jussi Hirvi wrote: >> Aug 17 07:41:38 mx2 named[6873]: client 205.145.64.200#53: query (cache) >> 'ripe.net/ANY/IN' denied >> >Aug 17 07:41:38 mx2 named[6873]: client 204.10.45.5#53: query (cache) >> >'ripe.net/ANY/IN' denied >> >Aug 17 07:41:38 mx2 named[6873]: client 78.40.

[CentOS] DNS DoS attack

2012-08-16 Thread Jussi Hirvi
Looks like one of my name servers (CentOS 5) gets a lot of malicious queries. The cpu load is constantly about 3 %. I put on stricter limits on who is allowed recursive queries, but this does not affect the CPU load. I also updated bind. I temporarily turned on querylog (command: rndc querylog)