Security Incidents mailing list archives
Re: Attempted DNS queries.
From: Mark Lastdrager <mark () PINE NL>
Date: Sun, 25 Mar 2001 18:56:14 +0200
At Sun, 25 Mar 2001, Incidents Mailing List wrote:
Hello, My bind is configured to only reply to queries which refer to the zones which are under my control. I've been receiving a curiously large number of queries to the "." domain from hosts which I have never seen before. A more peculiar thing is that many of the offending hosts run ssh and https alone. Following are the log entries for some of the denied queries: Mar 19 05:34:18 linux named[24032]: denied query from [216.33.87.10].54947 for "Mar 19 05:55:42 linux named[24032]: denied query from [216.33.87.10].55501 for "Mar 19 06:01:25 linux named[24032]: denied query from [216.33.87.10].55639 for "Mar 19 06:03:06 linux named[24032]: denied query from [216.33.87.10].55692 for "Mar 19 06:06:11 linux named[24032]: denied query from [216.33.87.9].56046 for ".Mar 24 19:09:39 linux named[24032]: denied query from [63.209.29.136].20196 for ......... This goes on. I've been able to to identify at least nine unique hosts which attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8, 216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2. Results of the portscan against these hosts can be found at: http://192.117.130.34/Fendor/bind-scan-results Any ideas as to the nature of these queries and the strange pattern which these hosts exhibit?
You're being used by kiddies to DOS other kiddies (at least, they try to use you). The trick here is they send your nameserver a query from a spoofed address (the address of the victim) asking for the "." zone. So with a small question they send a large answer to the victim. See ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos The offending hosts in your case are the victims of the DOS attacks. Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: SCSI Chain overterminated
Current thread:
- Attempted DNS queries. Yotam Rubin (Mar 25)
- Re: Attempted DNS queries. Mark Lastdrager (Mar 25)
- <Possible follow-ups>
- Re: Attempted DNS queries. Alfred Huger (Mar 25)