I am seeing a somewhat similar problem with my name server. It is configured not to recurse queries except for our network. Since I enabled this feature, I noticed we receive numerous requests from unauthorized hosts. It seems all the unauthorized queries are MX requests for AOL.COM. Here's a sample rejection log: 25-Apr-2000 12:21:48.647 security: unapproved recursive query from [212.5.135.39].2091 for aol.com and below the number of his for the last 4 days. Notice the 250,000 requests from 212.5.135.39 That's really abusive and I have blackholed 212.5.128/19 for the moment. 1424 192.92.129.3 1332 193.200.17.87 516 193.68.3.250 399 208.226.167.19 70 212.5.133.129 635 212.5.135.16 250292 212.5.135.39 57 212.5.139.65 1286 212.5.159.42 28 212.5.159.53 71 212.56.18.66 58 212.91.173.60 1992 63.192.247.53 Now I do not understand why we are getting those hits. Our nameserver (207.153.200.35) is not an aol.com secondary and has never been. Does anyone have a clue? JP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JP Donnio wrote:
I am seeing a somewhat similar problem with my name server. It is configured not to recurse queries except for our network. Since I enabled this feature, I noticed we receive numerous requests from unauthorized hosts. It seems all the unauthorized queries are MX requests for AOL.COM. Here's a sample rejection log:
25-Apr-2000 12:21:48.647 security: unapproved recursive query from [212.5.135.39].2091 for aol.com
...
Now I do not understand why we are getting those hits. Our nameserver (207.153.200.35) is not an aol.com secondary and has never been.
Does anyone have a clue?
We have had several reports of similar activity this year, and a recent increase in reports. The leading theory is that this is a signature of a denial of service attack. The general idea is that a DNS query is sent via UDP to an intermediate nameserver using a spoofed source address. The nameserver's reply is directed to the spoofed address, which in the DoS attack, is the victim. The size of the response can be greater than the size of the request, which causes packet amplification. The degree of amplification depends on the size of the query, the recursive nature of the nameserver, and the size of the answer. Where recursion is turned off, there is still a 'rejected' message sent, and the reject is typically logged. We've seen this technique used in a distributed fashion, with multiple nameservers receiving queries from similar forged source addresses. The DoS method described here is a known issue. AusCERT published an advisory in August 1999 that may be of interest. ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos Regards, Kevin - -- Kevin Houle CERT Coordination Center -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOQcaJrvzUwvl02xJEQJOPACgzzVNJDlT85zE6NJNsrMGkZtMYA4AoPBR hOcKUp9NytcyNp8fS5FnCoPZ =t0JQ -----END PGP SIGNATURE-----
participants (2)
-
JP Donnio
-
Kevin Houle