Re: lot of 'ripe.net IN ANY +ED' queries
On Mon, Jul 23, 2012 at 04:49:24PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 15 lines which said: Buggy. It parses the DNS packet from the end and therefore fails with EDNS packets (which have the OPT resource record at the end). After checking, I stand corrected. This is not the original xt_dns (which is buggy) but a fork which fixes the parsing. Sorry for the false alarm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
Actually we detected these ripe.net ANY requests by observing an increase in TCP DNS requests due to large DNSSEC responses. IP address does not seem spoofed. It seems these (very few) client wait 10 sec before closing their TCP connection, which increases the platform load. We think it is a malware, but feel free to provide more information on that topic. BR Daniel On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote: On Mon, Jul 23, 2012 at 04:49:24PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 15 lines which said: Buggy. It parses the DNS packet from the end and therefore fails with EDNS packets (which have the OPT resource record at the end). After checking, I stand corrected. This is not the original xt_dns (which is buggy) but a fork which fixes the parsing. Sorry for the false alarm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
In message 500ed56f.1080...@gmail.com, Daniel Migault writes: Actually we detected these ripe.net ANY requests by observing an increase in TCP DNS requests due to large DNSSEC responses. IP address does not seem spoofed. It seems these (very few) client wait 10 sec before closing their TCP connection, which increases the platform load. We think it is a malware, but feel free to provide more information on that topic. BR Daniel If it is TCP then it would be ripe.net IN ANY +ETD being logged as the query log records whether it is TCP or not. The original poster is getting UDP queries. If you are getting lots of TCP queries then you should be addressing the source directly and getting that fixed. On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote: On Mon, Jul 23, 2012 at 04:49:24PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 15 lines which said: Buggy. It parses the DNS packet from the end and therefore fails with EDNS packets (which have the OPT resource record at the end). After checking, I stand corrected. This is not the original xt_dns (which is buggy) but a fork which fixes the parsing. Sorry for the false alarm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri be from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
lot of 'ripe.net IN ANY +ED' queries
Hi all, I am new subscriber of your list. I browsed the archive but didn't find answer/hint for my problem. I am running (at FreeBSD 9.1-PRERELEASE) public caching DNS server. Since about 2 months I've been receiving lot of (DNS flood attack?) queries like: 23-Jul-2012 14:03:28.813 queries: info: client 96.44.152.125#53: view external: query: ripe.net IN ANY +ED (my.dns.server.ip) What I made now, is just to parse logs and block IPs that ask for ripe.net via ipfw. But is there any other solutions for that permanent attacks? Or should I contact my ISP ? Thanks for help! Regards, -- Marek Salwerowicz ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
On 23/07/12 13:07, Marek Salwerowicz wrote: Hi all, I am new subscriber of your list. I browsed the archive but didn't find answer/hint for my problem. I am running (at FreeBSD 9.1-PRERELEASE) public caching DNS server. Since about 2 months I've been receiving lot of (DNS flood attack?) queries like: 23-Jul-2012 14:03:28.813 queries: info: client 96.44.152.125#53: view external: query: ripe.net IN ANY +ED (my.dns.server.ip) What I made now, is just to parse logs and block IPs that ask for ripe.net via ipfw. But is there any other solutions for that permanent attacks? This is getting to be an FAQ. It's a source-spoofed amplification attacks. See the list archives for discussion, including links to a patch for bind with per-client rate-limiting. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
On Mon, Jul 23, 2012 at 02:07:51PM +0200, Marek Salwerowicz marek_...@wp.pl wrote a message of 30 lines which said: What I made now, is just to parse logs and block IPs that ask for ripe.net via ipfw. As mentioned by Phil Mayers, the source IP address is forged. By blocking this IP, you strike the victim. But is there any other solutions for that permanent attacks? The operators of F-root use this on their FreeBSD machines to rate-limit per source IP: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0x buckets 1024 bw 400Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0x buckets 1024 bw 100Kbit/s queue 3 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
W dniu 2012-07-23 14:33, Stephane Bortzmeyer pisze: But is there any other solutions for that permanent attacks? The operators of F-root use this on their FreeBSD machines to rate-limit per source IP: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0x buckets 1024 bw 400Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0x buckets 1024 bw 100Kbit/s queue 3 It looks nice, as I can now block the traffic on my firewall, instead of DNS server. Thanks. BTW - is this attack any new kind of virus/spyware or sth ? -- Marek Salwerowicz ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
On Mon, Jul 23, 2012 at 03:09:35PM +0200, Marek Salwerowicz marek_...@wp.pl wrote a message of 18 lines which said: BTW - is this attack any new kind of virus/spyware or sth ? Not every security problem on the Internet is a virus. And I do not see why a spyware would like to DoS people. There are apparently different attackers, the specifics of the attack varies a lot. Let's say it it now a recognized weapon in the typical bad guy's toolbox (it is theoretically known for many years but has been widely adopted only in last november/december when the number of reports suddenly increased). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
Dne 23.7.2012 15:09, Marek Salwerowicz napsal(a): BTW - is this attack any new kind of virus/spyware or sth ? Actually, I think these queries to ripe.net ANY with EDNS0 are caused by some common malware. My servers are receiving these from time to time and complaining to a person responsible for source IP address is enough to stop it. So in this case, the source address is probably not spoofed. The only question is: Why is the malware doing it? I use linux netfilter's hashlimit target to limit queries to reasonable rate, with a special lower rate for ANY-type queries. I use this iptables matcher to identify incoming query type: https://github.com/oskar456/xt_dns Cheers, Ondřej Caletka, CESNET, z.s.p.o. http://www.ces.net smime.p7s Description: Elektronický podpis S/MIME ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
On Mon, Jul 23, 2012 at 04:42:11PM +0200, Ond?ej Caletka ondrej.cale...@cesnet.cz wrote a message of 159 lines which said: I use this iptables matcher to identify incoming query type: https://github.com/oskar456/xt_dns Buggy. It parses the DNS packet from the end and therefore fails with EDNS packets (which have the OPT resource record at the end). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lot of 'ripe.net IN ANY +ED' queries
On Mon, 23 Jul 2012, Stephane Bortzmeyer wrote: The operators of F-root use this on their FreeBSD machines to rate-limit per source IP: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0x buckets 1024 bw 400Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0x buckets 1024 bw 100Kbit/s queue 3 But that will totally ruin djb's claim that dnssec is the cause of the internet melt down! Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users