?????? Re: Is there a way to count the number of queries?
So can I set the statistic option in specific View option? If I can do that, it can record the number of queries by specific IP. -Original Message- From: Feng He Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Wed, 07 Nov 2012 17:51:57 To: Subject: Re: Is there a way to count the number of queries? 于 2012-11-7 17:39, Tony Xue 写道: > Would please someone tell me a way to count the queries that my DNS server > received? I also want to count the number of queries from a specific IP > address. BIND has a zone-statistics option which can be set to on. For the statistics by IP I think you may want to enable the query Log and get the access stat from it. HTH. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is there a way to count the number of queries?
Hi everyone, Would please someone tell me a way to count the queries that my DNS server received? I also want to count the number of queries from a specific IP address. Can anyone tell me how to do that? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? Re: ?????? Re: Possible DDoS?
Because my server also used to be hacked and send this kind of junk queries and my server was null-routed by the datacenter. The high bandwidth was happened exactly on my server. -Original Message- From: Phil Mayers Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Thu, 18 Oct 2012 00:22:24 To: Subject: Re: 答复: Re: Possible DDoS? On 10/18/2012 12:12 AM, Tony Xue wrote: > > I am pretty sure the sources were hacked because one of my another What makes you think the source IPs were real? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? Re: Possible DDoS?
I used to get the same problem but that was everytime from three or four different source IP and they are all querying "ripe.net IN ANY" for around 10 queries per second. I am pretty sure the sources were hacked because one of my another DNS server also become the source to attack and from the packet can see there're exactly the same type of attack. -Original Message- From: Phil Mayers Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Wed, 17 Oct 2012 23:59:11 To: Subject: Re: Possible DDoS? On 10/17/2012 07:39 PM, Dennis Clarke wrote: > I have the exact same problem with an ip inside State of Colorado > General Government Computer subnet : > > http://whois.arin.net/rest/org/SCGGC That's not exactly a fly-by-night organisation; have you contacted them? > > Some server there has been pounding queries at me at a rate of > 48,000+ a day : Some packets are arriving with that source IP. Big difference. It's possible (likely?) the sources are spoofed, and someone is inducing *you* to bombard that IP with replies (or trying to). > > Queries show up in bunches, while the average is every 1.7 secs I see > dozens of queries all arrive nearly at the same time, then a ten > second pause, then again another burst. > > Makes no sense to me what is going on there. Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed source. DNS server sends 1 million DNS replies of 1000 bytes each to the spoofed IP. 10x amplification, means the attacker can use lower-spec machines to overload a target. Or something is just broken, and the source IPs are real - in which case, contact them. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Actually I don't have very good idea about it. It's kind of you just cannot do anything about it. Also you're not the server used to attack others so there're less action can be done. I just think you can upgrade to BIND 9, because you're ISP level so most actions I have done , you can't do it. How much bandwidth cost for attack every day? -Original Message- From: "Amit Gupta " Date: Fri, 21 Sep 2012 16:02:38 To: Cc: ; Subject: DDOS Atatck on BIND 9.8.0 Hi At ISP level it is not possible to block IPs for us . Do I require some patch or upgrade to higher BIND .? Or some OS patch of Solaris is required ? Some how I know that these query is of ANY type and response is chocking Ethernet traffic. Please suggest . This BIND is on our production environment . Thanks Amit ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:DDOS Atatck on BIND 9.8.0
-Original Message- From: "Tony Xue" Date: Fri, 21 Sep 2012 10:09:37 To: Amit Gupta; ; Reply-To: xuez...@gmail.com Cc: Subject: 答复: DDOS Atatck on BIND 9.8.0 Hello, I used to get a lot of these kind of junk queries for ripe.net and isc.org in ANY type. I just manually block these source IPs in iptables. I did this work for several months and there was no more junk queries after. Also, one of my another DNS server was hacked or whatever and was used to send these kind of junk. My IP was nulled by operator because too high network loads. So, I believe this is maybe a bug or something that BIND 9.8 has. I think is better to upgrade to the latest version. -Original Message- From: "Amit Gupta " Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Fri, 21 Sep 2012 15:26:23 To: Cc: Subject: DDOS Atatck on BIND 9.8.0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? DDOS Atatck on BIND 9.8.0
Hello, I used to get a lot of these kind of junk queries for ripe.net and isc.org in ANY type. I just manually block these source IPs in iptables. I did this work for several months and there was no more junk queries after. Also, one of my another DNS server was hacked or whatever and was used to send these kind of junk. My IP was nulled by operator because too high network loads. So, I believe this is maybe a bug or something that BIND 9.8 has. I think is better to upgrade to the latest version. -Original Message- From: "Amit Gupta " Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Fri, 21 Sep 2012 15:26:23 To: Cc: Subject: DDOS Atatck on BIND 9.8.0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? Re: Moving from "type forward" to "type static-stub"
Hello, Ehhh, what's a static-stub type? Why I never read this in the file? -Original Message- From: Chris Buxton Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Thu, 20 Sep 2012 19:35:23 To: Oscar Ricardo Silva Cc: Subject: Re: Moving from "type forward" to "type static-stub" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users