DNS Distributed Denial Of Service?
Tuesday 27th January, 2009 13:03
I spotted a lot of repeated requests to one of my DNS servers and decided to do some investigating (after blocking the IP addresses). It looks like I'm not alone, as someone else has blogged about it (and has also been seeing traffic from 76.9.16.171): DNS dot DDoS Attack targetting the Internet
This led me to the SANS entry on the 18th of January. Two of the IP addresses seem to be associated with porn sites and one of the netblocks has confirmed that a DDoS attack is in progress against one of their clients.
If you have queries for "." in your DNS log, best verify by use of a sniffer whether your DNS server actually responds and contributes to the DOS. Normally, an internet-facing authoritative DNS server should not respond to recursive 3rd party queries, but we have received reports that some servers apparently respond to these "." queries even when recursion is disabled.
The DNS server that's seeing this traffic appears to respond to the requests with a reply code of "Refused" (which is good practice), but that's stopped now that the IPs have been blocked (to help prevent my traffic adding to the problem, and save my server some CPU time, although it is only running at about 2%). You can test your own DNS servers using this tool.
At the moment I've only spotted it coming from the following IPs:
63.217.28.226
67.192.144.0 (all the freaking time)
76.9.16.171
But these others are also apparently affected:
69.50.142.11
69.50.142.110
76.9.31.42
It appears that some of these other IPs may relate to pharmacy spam. I don't like spam, but there must be a better way to take them down.
EDIT: Perhaps this is why GoDaddy and Network Solutions have reported some DDoS problems.
EDIT2: I must admit I'm quite impressed with the Windows Firewall with Advanced Security that comes with Windows 2008!
EDIT3: I noticed that a staggering 43% of all packets hitting my network card are malicious DNS queries. Here's my latest list:
This led me to the SANS entry on the 18th of January. Two of the IP addresses seem to be associated with porn sites and one of the netblocks has confirmed that a DDoS attack is in progress against one of their clients.
If you have queries for "." in your DNS log, best verify by use of a sniffer whether your DNS server actually responds and contributes to the DOS. Normally, an internet-facing authoritative DNS server should not respond to recursive 3rd party queries, but we have received reports that some servers apparently respond to these "." queries even when recursion is disabled.
The DNS server that's seeing this traffic appears to respond to the requests with a reply code of "Refused" (which is good practice), but that's stopped now that the IPs have been blocked (to help prevent my traffic adding to the problem, and save my server some CPU time, although it is only running at about 2%). You can test your own DNS servers using this tool.
At the moment I've only spotted it coming from the following IPs:
63.217.28.226
67.192.144.0 (all the freaking time)
76.9.16.171
But these others are also apparently affected:
69.50.142.11
69.50.142.110
76.9.31.42
It appears that some of these other IPs may relate to pharmacy spam. I don't like spam, but there must be a better way to take them down.
EDIT: Perhaps this is why GoDaddy and Network Solutions have reported some DDoS problems.
EDIT2: I must admit I'm quite impressed with the Windows Firewall with Advanced Security that comes with Windows 2008!
EDIT3: I noticed that a staggering 43% of all packets hitting my network card are malicious DNS queries. Here's my latest list:
- 63.217.28.226
- 64.57.246.123
- 67.192.144.0
- 69.50.142.11
- 69.50.142.110
- 69.64.87.156
- 72.30.3.82
- 72.249.127.168
- 72.249.127.168
- 76.9.16.171
- 76.9.31.42