# dns recursion/amplification attacks

## bunder

anyone remember those DNS recursion attacks mentioned a few months ago?  my network is being hammered by three servers on ISPrime...  at first it was one server, then i blocked it... and then i started getting bombed by two more on a different network owned also by ISPrime.

 *Quote:*   

> Jan 18 10:43:08 internal2 named[15414]: client 76.9.16.171#23672: query (cache) './NS/IN' denied

 

 *Quote:*   

> Jan 20 10:57:29 internal2 named[15414]: client 66.230.160.1#26242: query (cache) './NS/IN' denied
> 
> Jan 20 10:57:30 internal2 named[15414]: client 66.230.128.15#16886: query (cache) './NS/IN' denied

 

since i blocked the second group (coincidentally they fall under one cidr range), they have been hammering my firewall with (what i'm assuming is) the same crap they were pelting my DNS server with...

 *Quote:*   

> IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=48 ID=45945 PROTO=UDP SPT=20735 DPT=53 LEN=25
> 
> IN=eth2 OUT=eth1 SRC=66.230.128.15 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=39060 PROTO=UDP SPT=20161 DPT=53 LEN=25
> 
> IN=eth2 OUT=eth1 SRC=66.230.160.1 DST=192.168.1.11 LEN=45 TOS=0x00 PREC=0x00 TTL=47 ID=56296 PROTO=UDP SPT=63917 DPT=53 LEN=25
> ...

 

i've already emailed their abuse department without reply.   :Confused: 

i realize that these exploits might not originate from their networks, that those servers may be mere relaying the packets to my server...

all that said, has anyone else experienced these attacks via this company?  anything i can do besides block them?

thanks

----------

## bunder

great... i'm not alone... 

http://isc.sans.org/diary.html?storyid=5713

edit: i'm asking my isp to temporarily block these networks upstream.

----------

## bunder

so i finally get an email back from my ISP...

 *Quote:*   

> Hi Chris
> 
> Actually those IPs are spoofed as someone, somewhere is performing a DNS Amplification attack ( http://www.securiteam.com/securityreviews/5GP0L00I0W.html ) aimed at ISPrime who holds the IPs you've listed. You can visit the following NANOG thread for further info and official communication from ISPrime abuse dept ( http://www.merit.edu/mail.archives/nanog/msg14429.html )
> 
> That said, I've asked our DNS admin to investigate alternate mitigation steps asap. If your organization is running a caching DNS server I recommend you turn off recursion if you have not already done so.
> ...

 

1) DUHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!

2) i did that ages ago (not that my server caches anything, it's authoritative for 3 domains, and recursive for two internal LANs)... that's more than i can say about my ISP's DNS servers... to this date, they are still globally recursive.   :Rolling Eyes: 

----------

## scherz0

Seems that the attack is going on at the same rate (one query every 2 seconds on each server), and still directed to the same 3 addresses.  Strange thing...

 *Quote:*   

> If your organization is running a caching DNS server I recommend you turn off recursion if you have not already done so.
> 
> 

 

Uh ??? what would be a non recursive caching server   :Confused: 

----------

## bunder

yeah, they are still pounding my firewall too.   :Crying or Very sad: 

----------

## bunder

how's this for a good morning?

 *Quote:*   

> <snip>
> 
> Jan 23 06:53:57 internal2 named[9564]: client 63.217.28.226#61334: query (cache) './NS/IN' denied
> 
> Jan 23 06:53:58 internal2 named[9564]: client 63.217.28.226#29712: query (cache) './NS/IN' denied
> ...

 

this one is owned by "beyond the network inc", another american company.

----------

## scherz0

Same here, and now almost nothing "from" the first three addresses.

Quite harmless for the dns servers however, so I may stop updating my firewalls and just filter these "NS ." requests out from the dns logs.

----------

## bunder

so now it hits slashdot, and they're talking like this is netsol's problem...   :Rolling Eyes: 

what happened to isprime?  they "started" this thing...  and what about everyone else's dns servers?  chopped liver anyone?   :Shocked: 

----------

## bunder

add another one to the list...

 *Quote:*   

> Jan 24 14:49:13 internal2 named[9564]: client 206.71.158.30#5092: query (cache) './NS/IN' denied
> 
> Jan 24 14:49:13 internal2 named[9564]: client 206.71.158.30#20593: query (cache) './NS/IN' denied
> 
> Jan 24 14:49:15 internal2 named[9564]: client 206.71.158.30#14597: query (cache) './NS/IN' denied
> ...

 

i also saw this one this morning too...  almost didn't catch it.   :Confused: 

 *Quote:*   

> Jan 24 15:06:29 internal2 named[9564]: client 66.238.93.161#38858: query (cache) './NS/IN' denied
> 
> 

 

----------

## bunder

and 67.192.144.0, some rackspace box.

 *Quote:*   

> Jan 27 07:48:26 internal2 named[9564]: client 67.192.144.0#33313: query (cache) './NS/IN' denied
> 
> 

 

----------

## Stolz

 *bunder wrote:*   

> great... i'm not alone... 

 

No, you are not alone. This comes from one of my servers at Spain:

```
# grep "view external: query (cache) './NS/IN' denied" /var/log/messages |  wc -l

30000

```

```
# grep "view external: query (cache) './NS/IN' denied" /var/log/messages | cut -d " " -f 7 | sort | uniq | cut -d "#" -f 1 | sort | uniq

204.11.51.59

204.11.51.60

204.11.51.61

208.37.177.61

208.37.177.62

208.78.169.234

208.78.169.235

208.78.169.236

209.123.8.64

63.217.28.226

66.230.160.1

67.192.144.0

76.9.16.171

```

Right now I'm working in a rule to have these IPs banned using fail2ban.

----------

## bunder

got another one...

64.57.246.146 - 4t networks

----------

## bunder

70.86.80.98 - theplanet

----------

## bunder

goooooooooood morning.   :Rolling Eyes: 

72.249.127.168 - networld internet services

72.20.3.82 - staminus communications

69.64.87.156 - abacus international

----------

## bunder

208.76.253.253 - something called "Scam Fraud Alert", a "Colocation America Corp." box.

----------

## bunder

i really hope this doesn't become a daily occurrence.    :Rolling Eyes: 

65.23.129.220 - datarealm internet services

64.27.1.194 - hollywood interactive inc

----------

## bunder

my first non-american host...

89.149.221.182 - netdirekt (some german hosting provider)

----------

## bunder

almost when i thought this was over with, we get another one.

195.68.176.4 - orlan telecom russia

----------

## bunder

oy vey.   :Confused: 

59.151.50.247 + 59.151.50.248 - abitcool china

63.245.209.126 + 63.245.213.124 - mozilla?

----------

## bunder

after many months, they have returned.   :Sad: 

64.92.236.215, 144.198.191.14 - macrovision

63.245.209.126, 63.245.213.10, 63.245.213.101, 63.245.213.102, 63.245.213.102, 63.245.213.124 - mozilla (again)

started around 9PM until i caught it just now.  all ranges blocked (mozilla temporarily).

----------

## bunder

213.61.92.192 - asus germany

----------

## aricart

I've never had to play admin on a box that's connected to anything other than my local network. However, I do use snortsam on my workstations. Could something like that help?

----------

