DDOS Atatck on BIND 9.8.0
Hi We are running BIND 9.8.0 on Solaris 10 machine. We are getting continuous hits from various IPs to isc.org (snoop report attached) Due to it our DNS is not responding to other genuine query and users are not able to browse. 0.2 59.178.138.195 -> 203.94.243.70 DNS C isc.org. Internet * ? 929 0.0 59.178.51.128 -> 203.94.243.70 DNS C isc.org. Internet * ? 937 0.0 59.178.166.44 -> 203.94.243.70 DNS C isc.org. Internet * ? 944 0.0 120.59.103.34 -> 203.94.243.70 DNS C isc.org. Internet * ? 949 0.0 59.180.142.190 -> 203.94.243.70 DNS C isc.org. Internet * ? 955 0.1 59.178.50.68 -> 203.94.243.70 DNS C isc.org. Internet * ? 964 0.0 120.60.156.1 -> 203.94.243.70 DNS C isc.org. Internet * ? 969 0.1 59.180.159.121 -> 203.94.243.70 DNS C isc.org. Internet * ? 973 0.0 59.178.182.103 -> 203.94.243.70 DNS C isc.org. Internet * ? 980 0.0 59.178.169.247 -> 203.94.243.70 DNS C isc.org. Internet * ? 983 0.0 59.178.162.136 -> 203.94.243.70 DNS C isc.org. Internet * ? 993 0.3 120.59.108.86 -> 203.94.243.70 DNS C isc.org. Internet * ? 998 0.0 59.178.51.96 -> 203.94.243.70 DNS C isc.org. Internet * ? 999 0.00010 120.56.185.176 -> 203.94.243.70 DNS C isc.org. Internet * ? 1001 0.0 59.180.146.89 -> 203.94.243.70 DNS C isc.org. Internet * ? 1015 0.2 59.178.177.217 -> 203.94.243.70 DNS C isc.org. Internet * ? 1027 0.0 59.178.62.149 -> 203.94.243.70 DNS C isc.org. Internet * ? 1028 0.0 59.178.165.0 -> 203.94.243.70 DNS C isc.org. Internet * ? 1037 0.0 59.180.140.93 -> 203.94.243.70 DNS C isc.org. Internet * ? 1064 0.0 59.178.183.73 -> 203.94.243.70 DNS C isc.org. Internet * ? 1093 0.0 59.177.139.7 -> 203.94.243.70 DNS C isc.org. Internet * ? 1103 0.1 59.183.143.46 -> 203.94.243.70 DNS C isc.org. Internet * ? Thanks Amit ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Hello, I used to get a lot of these kind of junk queries for ripe.net and isc.org in ANY type. I just manually block these source IPs in iptables. I did this work for several months and there was no more junk queries after. Also, one of my another DNS server was hacked or whatever and was used to send these kind of junk. My IP was nulled by operator because too high network loads. So, I believe this is maybe a bug or something that BIND 9.8 has. I think is better to upgrade to the latest version. -Original Message- From: "Amit Gupta " Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Fri, 21 Sep 2012 15:26:23 To: Cc: Subject: DDOS Atatck on BIND 9.8.0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Actually I don't have very good idea about it. It's kind of you just cannot do anything about it. Also you're not the server used to attack others so there're less action can be done. I just think you can upgrade to BIND 9, because you're ISP level so most actions I have done , you can't do it. How much bandwidth cost for attack every day? -Original Message- From: "Amit Gupta " Date: Fri, 21 Sep 2012 16:02:38 To: Cc: ; Subject: DDOS Atatck on BIND 9.8.0 Hi At ISP level it is not possible to block IPs for us . Do I require some patch or upgrade to higher BIND .? Or some OS patch of Solaris is required ? Some how I know that these query is of ANY type and response is chocking Ethernet traffic. Please suggest . This BIND is on our production environment . Thanks Amit ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DDOS Atatck on BIND 9.8.0
Sounds like the internet is using your external dns server to do recursive queries. This will reduce the unwanted queries. On your external dns server, create 2 views, one for your internal dns forwarders to point to (recursive) and one for internet queries to you (authoritative). Name them Inside and Outside. Create two acls accordingly with the acl for the authoritative view set to 'any'. List the recursive view first in the named config file. In the recursive view set recursion yes and additional-from-cache yes. In the authoritative view, set both to no. Hope this helps JM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
