Security Incidents mailing list archives

Re: Attempted DNS queries.

From: Mark Lastdrager <mark () PINE NL>
Date: Sun, 25 Mar 2001 18:56:14 +0200

At Sun, 25 Mar 2001, Incidents Mailing List wrote:

Hello,

My bind is configured to only reply to queries which refer to the zones which
are under my control. I've been receiving a curiously large number of queries
to the "." domain from hosts which I have never seen before.
A more peculiar thing is that many of the offending hosts run ssh
and https alone. Following are the log entries for some of the denied queries:
Mar 19 05:34:18 linux named[24032]: denied query from [216.33.87.10].54947 for "Mar 19 05:55:42 linux named[24032]: 
denied query from [216.33.87.10].55501 for "Mar 19 06:01:25 linux named[24032]: denied query from [216.33.87.10].55639 
for "Mar 19 06:03:06 linux named[24032]: denied query from [216.33.87.10].55692 for "Mar 19 06:06:11 linux 
named[24032]: denied query from [216.33.87.9].56046 for ".Mar 24 19:09:39 linux named[24032]: denied query from 
[63.209.29.136].20196 for
.........
This goes on. I've been able to to identify at least nine unique hosts which
attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8,
216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2.
Results of the portscan against these hosts can be found at:
http://192.117.130.34/Fendor/bind-scan-results
Any ideas as to the nature of these queries and the strange pattern which
these hosts exhibit?


You're being used by kiddies to DOS other kiddies (at least, they try to
use you). The trick here is they send your nameserver a query from a
spoofed address (the address of the victim) asking for the "." zone. So
with a small question they send a large answer to the victim. See
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos

The offending hosts in your case are the victims of the DOS attacks.

Mark Lastdrager

--
Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: SCSI Chain overterminated

Current thread:

Attempted DNS queries. Yotam Rubin (Mar 25)
- Re: Attempted DNS queries. Mark Lastdrager (Mar 25)
- <Possible follow-ups>
- Re: Attempted DNS queries. Alfred Huger (Mar 25)