Re: Malicious DNS request?

2005-05-17 Thread Brad Knowles
At 8:45 AM +0800 2005-05-18, Joe Shen wrote: I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. Do a DNS query for slartibartfastisacharacterinamoviewrittenbydouglasadamsthathasnotgottenverygoo

Re: Malicious DNS request?

2005-05-17 Thread Joe Shen
Paul, I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. According to someone's presentation on NANOG ("DNS anomailies and their impact on DNS Cache Server" ), such record may be type of attack.

Re: Malicious DNS request?

2005-05-17 Thread Paul Vixie
[EMAIL PROTECTED] (Joe Shen) writes: > I'm using BIND9.2.5 & BIND9.3.1 on two Solaris box, > each box has two CPUs installed. it's found BIND8.4.6 > running on one CPU could reach the throughput of > BIND9.*.* running on two CPUs. > > Could we improve server throughput or lower lower the > effe

Re: Malicious DNS request?

2005-05-17 Thread Joe Shen
Sorry to attach the "rndc stats" result. I run "rndc stats" continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistic

Re: Malicious DNS request?

2005-05-17 Thread Joe Shen
Sorry to attach the "rndc stats" result. I run "rndc stats" continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistic

Re: Malicious DNS request?

2005-05-17 Thread Joe Shen
Hi, thanks for your help. I noticed that the requests of those non-exist domain name disappeared yesterday. But the NXDOMAIN record in named.stats keep increasing. ( see attachment) I'm using BIND9.2.5 & BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running

Re: Malicious DNS request?

2005-05-15 Thread Bill Stewart
Tunneling IP over DNS - Dan Kaminsky's ozymandns project. One source of really strange DNS packets I've seen is Dan Kaminsky's experiments with tunneling IP over DNS , which he presented at Codecon, Defcon, and other places. Dan has often done Really Twisted Things With Packets, and once you've

Re: Malicious DNS request?

2005-05-12 Thread Brad Knowles
At 11:26 AM -0400 2005-05-12, [EMAIL PROTECTED] wrote: It's often suggested that you have *two* DNS setups - one that only answers requests from inside for recursion and caching, and an authoritative one that faces out and refuses to recurse. The original question from Joe Shen said that a remo

Re: Malicious DNS request?

2005-05-12 Thread Valdis . Kletnieks
On Thu, 12 May 2005 16:43:07 +0200, Brad Knowles said: > At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen: > > I'd suggest dropping requests for domains you don't hold. > That's kind of hard to do if you're running a recursive/caching > nameserver. Well.. are you running a recursiv

Re: Malicious DNS request?

2005-05-12 Thread Brad Knowles
At 12:41 PM +0400 2005-05-12, Gadi Evron quoted Joe Shen: How could such request be filtered or minimize its affaction on DNS server? Either this is a DDoS (woohoo!! I used the forbidden word) or you are seeing a botnet trying to connect and putting in some smoke-screen while at it to try and

Re: Malicious DNS request?

2005-05-12 Thread Gadi Evron
Joe Shen wrote: > Hi, > > In past days I noticed the nxdomain statistics in > named.stats keeps increasing.( I run it every 5 min) > > By tcpdump, it's found a remote computer keep asking > address for record like > 999d38e693b9e6293b450.0existence.com, > 60d38e693b9e6293b450.0be6c1xfa.net. >

Re: Malicious DNS request?

2005-05-12 Thread Suresh Ramasubramanian
On 5/12/05, Joe Shen <[EMAIL PROTECTED]> wrote: > By tcpdump, it's found a remote computer keep asking > address for record like > 999d38e693b9e6293b450.0existence.com, > 60d38e693b9e6293b450.0be6c1xfa.net. > > is that a virus affacted computer? Sure looks like some kind of massmailer trojan, or

Malicious DNS request?

2005-05-12 Thread Joe Shen
Hi, In past days I noticed the nxdomain statistics in named.stats keeps increasing.( I run it every 5 min) By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net. is that a virus affacted computer?