Re: Named requests filling up T1
Thanks, I think that's what I was looking for. I expect the ISP is in another country somewhere and would be hard to reach, if they could be reached at all. And it's probably a bad reference somewhere to the server here, so shutting of recursive queries could help... If I shut named off for an hour or two they go away, so I'm guessing the offending server switches to the secondary and gets what it's looking for? Thanks! Mike Silbersack wrote: Thanks Matt, The answer to both is no. The domain doesn't resolve either (v.tn.co.za). It looks like the source IP changes too...sigh I tried a whois on the source IP and it was not found, so it may be spoofed? Or someone has a very messed up server... There was a thread on bugtraq about this, you're either being attacked or are being used to attack someone else. Reconfigure BIND so that it ignores recursive queries originating from outside your network - at least that will save your outbound bandwidth. Mike Silby Silbersack ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] -- Steve Suhre [EMAIL PROTECTED] 719.439.6052 Cell 719.632.2897 Home ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Named requests filling up T1
Steve Suhre wrote: Thanks, I think that's what I was looking for. I expect the ISP is in another country somewhere and would be hard to reach, if they could be reached at all. And it's probably a bad reference somewhere to the server here, so shutting of recursive queries could help... If I shut named off for an hour or two they go away, so I'm guessing the offending server switches to the secondary and gets what it's looking for? In any case you should only allow recursive queries for your trusted clients and/or downstream nameservers which forward to you. Otherwise a) you produce outgoing traffic when some stranger wants to b) your dns cache can easily be poisoned because of a) cheers simon -- Serve - BSD +++ RENT this banner advert +++ASCII Ribbon /\ Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \ ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Named requests filling up T1
Then complain to their isp. That has solved most problems for me, and in any case it'll stop or you know it's your problem and not theirs. If you can query your domain by switching your default nameservers to your machine's default NS, and not see any debug messages, you should be fine and complain away. That's only if you are using the same .host files in question, then you should have a fine test bed. Otherwise, i'd do a passive scan on their ip's and identify the OS in question, and test it before I complain. .01 cents P On 1/16/06, Steve Suhre [EMAIL PROTECTED] wrote: Looks like someone is spamming your DNS server with queries. Two questions: 1) Is v.tn.co.za a domain that you are authorative for? 2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS server? If the answer to 1) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. If the answer to 2) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. Source IP filtering is likely your best option, although it doesn't help with your T1 saturation, although it would give whoever is blasting these queries a clue. -- Matt Emmerton Thanks Matt, The answer to both is no. The domain doesn't resolve either (v.tn.co.za). It looks like the source IP changes too...sigh I tried a whois on the source IP and it was not found, so it may be spoofed? Or someone has a very messed up server... -- Steve Suhre [EMAIL PROTECTED] 719.439.6052 Cell 719.632.2897 Home ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Named requests filling up T1
Ugh...it's always something The T1 here is getting blasted by named requests, any suggestions would be appreciated... I turned on debugging and got the following, lots of them...so many that we're getting 30-50% packet loss across the T1: 16-Jan-2006 18:01:35.795 client @0x87d4800: udprecv 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: UDP request 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: using view '_default' 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: request is not signed 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: recursion available 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query (cache) 'v.tn.co.za/ANY/IN' approved 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: send 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: sendto 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: senddone 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: next 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: endrequest Any suggestion on what it might be and how I might stop it? -- Steve Suhre [EMAIL PROTECTED] 719.439.6052 Cell 719.632.2897 Home ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Named requests filling up T1
Ugh...it's always something The T1 here is getting blasted by named requests, any suggestions would be appreciated... I turned on debugging and got the following, lots of them...so many that we're getting 30-50% packet loss across the T1: 16-Jan-2006 18:01:35.795 client @0x87d4800: udprecv 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: UDP request 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: using view '_default' 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: request is not signed 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: recursion available 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: query (cache) 'v.tn.co.za/ANY/IN' approved 16-Jan-2006 18:01:35.795 client 64.18.133.103#5550: send 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: sendto 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: senddone 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: next 16-Jan-2006 18:01:35.796 client 64.18.133.103#5550: endrequest Any suggestion on what it might be and how I might stop it? Looks like someone is spamming your DNS server with queries. Two questions: 1) Is v.tn.co.za a domain that you are authorative for? 2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS server? If the answer to 1) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. If the answer to 2) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. Source IP filtering is likely your best option, although it doesn't help with your T1 saturation, although it would give whoever is blasting these queries a clue. -- Matt Emmerton ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Named requests filling up T1
Looks like someone is spamming your DNS server with queries. Two questions: 1) Is v.tn.co.za a domain that you are authorative for? 2) Are you an ISP and/or is client 64.18.133.103 authorized to use your DNS server? If the answer to 1) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. If the answer to 2) is NO, then there's no reason for these queries to be directed to your DNS server from the Internet. Source IP filtering is likely your best option, although it doesn't help with your T1 saturation, although it would give whoever is blasting these queries a clue. -- Matt Emmerton Thanks Matt, The answer to both is no. The domain doesn't resolve either (v.tn.co.za). It looks like the source IP changes too...sigh I tried a whois on the source IP and it was not found, so it may be spoofed? Or someone has a very messed up server... -- Steve Suhre [EMAIL PROTECTED] 719.439.6052 Cell 719.632.2897 Home ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Named requests filling up T1
Thanks Matt, The answer to both is no. The domain doesn't resolve either (v.tn.co.za). It looks like the source IP changes too...sigh I tried a whois on the source IP and it was not found, so it may be spoofed? Or someone has a very messed up server... There was a thread on bugtraq about this, you're either being attacked or are being used to attack someone else. Reconfigure BIND so that it ignores recursive queries originating from outside your network - at least that will save your outbound bandwidth. Mike Silby Silbersack ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]