[ossec-list] named ddos attack ( query (cache) './ANY/IN' denied)

Sat, 29 Aug 2009 04:31:54 -0700 

Last 16 hours my server is under named ddos attack, and attackers
managed to get it offline for a few hours...
Anyhow, in syslog i see:

Aug 29 12:46:20 mojmikro named[19771]: client 208.64.126.86#17215:
query (cache) './ANY/IN' denied
Aug 29 12:46:23 mojmikro named[19771]: client 208.64.126.86#46: query
(cache) './ANY/IN' denied
Aug 29 12:46:23 mojmikro named[19771]: client 195.151.171.163#35686:
query (cache) './ANY/IN' denied
Aug 29 12:46:25 mojmikro named[19771]: client 208.64.123.141#29789:
query (cache) './ANY/IN' denied
Aug 29 12:46:26 mojmikro named[19771]: client 208.64.123.141#57888:
query (cache) './ANY/IN' denied
Aug 29 12:46:27 mojmikro named[19771]: client 208.64.123.141#16026:
query (cache) './ANY/IN' denied
Aug 29 12:46:27 mojmikro named[19771]: client 208.64.126.86#43029:
query (cache) './ANY/IN' denied
Aug 29 12:46:28 mojmikro named[19771]: client 208.64.126.86#36219:
query (cache) './ANY/IN' denied
Aug 29 12:46:29 mojmikro named[19771]: client 208.64.126.86#14405:
query (cache) './ANY/IN' denied
Aug 29 12:46:30 mojmikro named[19771]: client 208.64.126.86#40084:
query (cache) './ANY/IN' denied
Aug 29 12:46:31 mojmikro named[19771]: client 208.64.123.141#43174:
query (cache) './ANY/IN' denied
Aug 29 12:46:32 mojmikro named[19771]: client 208.64.126.86#44740:
query (cache) './ANY/IN' denied
Aug 29 12:46:32 mojmikro named[19771]: client 195.151.171.163#61446:
query (cache) './ANY/IN' denied
Aug 29 12:46:32 mojmikro named[19771]: client 195.151.171.163#61447:
query (cache) 'dmljmoaaaaesk0000diaaabaaafbagpa/ANY/IN' denied
Aug 29 12:46:32 mojmikro named[19771]: client 195.151.171.163#61446:
query (cache) './ANY/IN' denied
Aug 29 12:46:33 mojmikro named[19771]: client 208.64.126.86#40895:
query (cache) './ANY/IN' denied
Aug 29 12:46:34 mojmikro named[19771]: client 208.64.126.86#231: query
(cache) './ANY/IN' denied
Aug 29 12:46:34 mojmikro named[19771]: client 208.64.126.86#29029:
query (cache) './ANY/IN' denied
Aug 29 12:46:34 mojmikro named[19771]: client 208.64.123.141#60477:
query (cache) './ANY/IN' denied
Aug 29 12:46:36 mojmikro named[19771]: client 208.64.126.86#61772:
query (cache) './ANY/IN' denied
Aug 29 12:46:36 mojmikro named[19771]: client 208.64.123.141#37475:
query (cache) './ANY/IN' denied
Aug 29 12:46:37 mojmikro named[19771]: client 208.64.126.86#20723:
query (cache) './ANY/IN' denied
Aug 29 12:46:38 mojmikro named[19771]: client 195.151.171.163#33818:
query (cache) './ANY/IN' denied
Aug 29 12:46:38 mojmikro named[19771]: client 208.64.126.86#23731:
query (cache) './ANY/IN' denied
Aug 29 12:46:39 mojmikro named[19771]: client 195.151.171.163#45907:
query (cache) './ANY/IN' denied
Aug 29 12:46:39 mojmikro named[19771]: client 208.64.126.86#40033:
query (cache) './ANY/IN' denied
Aug 29 12:46:41 mojmikro named[19771]: client 208.64.126.86#29005:
query (cache) './ANY/IN' denied
Aug 29 12:46:42 mojmikro named[19771]: client 208.64.126.86#23963:
query (cache) './ANY/IN' denied
Aug 29 12:46:42 mojmikro named[19771]: client 208.64.123.141#43681:
query (cache) './ANY/IN' denied
Aug 29 12:46:44 mojmikro named[19771]: client 208.64.126.86#24330:
query (cache) './ANY/IN' denied
Aug 29 12:46:46 mojmikro named[19771]: client 208.64.123.141#30114:
query (cache) './ANY/IN' denied
Aug 29 12:46:46 mojmikro named[19771]: client 208.64.123.141#46854:
query (cache) './ANY/IN' denied
Aug 29 12:46:47 mojmikro named[19771]: client 208.64.123.141#18664:
query (cache) './ANY/IN' denied
Aug 29 12:46:48 mojmikro named[19771]: client 208.64.126.86#63333:
query (cache) './ANY/IN' denied
Aug 29 12:46:49 mojmikro named[19771]: client 208.64.126.86#24897:
query (cache) './ANY/IN' denied

... I now blocked repeating few IPs directly with Iptables, but it
surprises me that ossec does not have any rule that would block these
kind of attacks on its own.

Or does it?

thanks,
Jaka

Reply via email to