DNS dot DDoS Attack targetting the Internet

Posted by DK
January 20, 2009

I was running tcpdump earlier this week when I noticed some odd entries queries to BlogSecurity’s DNS servers:


$ sudo tcpdump port 53

10:35:29.560870 IP 69.50.142.110.50928 > blogsecurity.domain: 43135+ NS? . (17)
10:35:29.561302 IP blogsecurity.domain > 69.50.142.110.50928: 43135- 13/0/14 NS C.ROOT-SERVERS.NET.,[|domain]
10:35:31.037729 IP 76.9.16.171.10435 > blogsecurity.domain: 58781+ NS? . (17)
10:35:31.038201 IP blogsecurity.domain > 76.9.16.171.10435: 58781- 13/0/14 NS B.ROOT-SERVERS.NET.,[|domain]

The two attack IP addresses are:
69.50.142.110 & 76.9.16.171

SANS have said this:

Several folks are reporting odd queries hitting their DNS servers at a steady rate of about two per second. The queries invariably ask for the name server of the domain “.” (NS query for a single dot). Since “.” is a query for the root name servers, it has a very short query packet but a pretty long answer. Our current theory therefore is that this is a denial of service (DoS) attack in progress, where the DNS servers are used as “amplifiers” and unwittingly flood the (spoofed) source by providing a long answer to a system which never asked.

I don’t like the idea of being used as part of an DDoS amflication attack (if this is really what these requests are doing). This reminds me of the old smurf ICMP DDoS days.

I’ve put in a temp fix as bind is no longer required on BlogSecurity’s servers and managed elsewhere. My temp. fix uses blackhole { address_match_list };

So named.conf / options looks like this:


blackhole {
69.50.142.110;
76.9.16.171;
};

Update 20/01/08 11:07a

SANS have released a tool to test if your nameserver is vulnerable:
DNS Test

Reflections

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by DK on January 20, 2009 @ 12:15 pm

I friend of mine made an interesting point, is this a DDoS attack or are the attackers simply trying to slow down the nameserver responses to aid in other DNS attacks, see: http://it.slashdot.org/it/08/07/21/2212227.shtml

Comment by MacGyveR on January 20, 2009 @ 12:21 pm

Two name servers running the same config which only allow recursive queries from hosts in an ACL, produce different results from the SANS test script:

BIND 9.3.5-P1 gives a result
BIND 9.4.2-P1 no result

Comment by DK on January 20, 2009 @ 12:21 pm

Unrelated to this post, but since I predicted DNS attacks against sites and blogs here is Dan Kaminsky’s tool to check if your DNS server is vulnerable to poison attacks:

http://www.doxpara.com/

Leave a comment

(required)

(required)