Of the small amount of name servers I run, each and every name server
has had persistent attacks (I guess) in the form of "(sl): query (cache)
'sl/ANY/IN' denied". These attacks appear to be originating from
legitimate ISP resolvers, but the majority of the attacks appear to be
drones/malware of sorts. I am assuming the majority of these IP's are
spoofed. These attacks appeared to begin in Dec 2020 / Jan 2021, and
have persisted up to this writing. The worst of it was in Jan 2021 for
me.
Prior to me crafting a firewall rule, log monitoring and triggers, and
adding some loose rate limiting (The various *-per-second options), I
would see well more than 2500 queries an hour for the sl query from
copious amounts of IP's. It probably was much more than that, as it was
pegging a VPS single vCPU that I have to 100% - bad on me for not
hardening that particular virtual machine in the first place months ago.
The other name servers had similar attacks, but not to the same
magnitude by a long shot.
Today, and so far, the VPS above that was originally taking in such a
huge amount of sl queries, has temporarily blocked 78 unique IPv4
addresses. Every query from each of the IP's has been in the form of:
Apr 13 22:08:55 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80
(sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:08:55 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80
(sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:08:56 ns02 named[432]: client @0x7f98c063d430 50.99.83.201#80
(sl): query (cache) 'sl/ANY/IN' denied
[...]
Apr 13 22:44:02 ns02 named[9487]: client @0x7fc8740c7310
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:44:02 ns02 named[9487]: client @0x7fc8740c7310
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
Apr 13 22:44:04 ns02 named[9487]: client @0x7fc8740c7310
46.102.130.246#80 (sl): query (cache) 'sl/ANY/IN' denied
--Brett
------ Original Message ------
From: "Richard T.A. Neal" <rich...@richardneal.com>
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Sent: Apr 13, 2021 17:42:28 PM
Subject: FW: Preventing a particular type of nameserver abuse
In the particular case of the .sl denied queries, I don't think these are
forged queries from the attack victim. Something else is going on here. We see
queries from systems like these, almost exclusively consumer endpoints:
[snipped]
It seems unlikely that someone is trying to attack those specific endpoints.
Unless the attack is *very* widely distributed and they are actually attacking
the ISP infrastructure. But in that case, this seems to be a simultaneous
attack on almost every major ISP, which I find unlikely.
Yes, another individual & I were discussing this off-list today. We wonder if those
queries are from malware on infected hosts that are trying to determine whether a given
nameserver can be used in a distributed reflection attack? The source IP is not spoofed
(because it wants to get the answer), so if it gets either "refused" or a timeout
then it knows that nameserver can't be used in the reflection attack. But if it gets a
response with data then it knows it *can* be used in the reflection attack.
A lot of the "bad clients" that I block are also domestic IP addresses, and
I've yet to come up with any other explanation so am always open to any plausible causes.
Best,
Richard.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
