I too noticed long ago that port 25345 was being used by the majority of attacks, so I limited it for a while and recently have blocked DNS "ANY" packets from port 25345 completely. If a legitimate query matches that, it should be retried on a different port, so I don't think I will have a significant 'false positive' problem. I next rate limit "ANY" queries. Both of those are done with iptables. I plan to use rrl in BIND to rate limit what is left, but I am having trouble getting it to work correctly.
Depending on your traffic, the 1000 queries from the same port might be normal, but for "ANY ISC.ORG" it does look awfully high. -- Bob Harold University of Michigan > Date: Wed, 3 Apr 2013 10:29:30 -0400 > From: [email protected] > To: [email protected] > Subject: [dns-operations] Intersting log analysis > Message-ID: > <of1b491054.f3140df8-on85257b42.004e3595-85257b42.004f9...@e1b.org > > > Content-Type: text/plain; charset="US-ASCII" > > I noticed that queries for isc.org would come from numerous IP addresses > but the source port would be consistent for long period of times. A > little jiggery with daemon.log and I got the report below where first > column is the number of occurrences of the source port (# separator > changed to space for sort/uniq field definition). The port number is the > only field I used in this, IP address below is just one of many hits for > that port. > > Commands used were: > > sed -e s/#/\ / /var/log/daemon.log |sort -k 8 > ~/sorted > uniq -c -d -f 8 ~/sorted |sort -n -r -k 1 |more > > Does it make sense to look at source port for any level of rate limiting? > > 4085406 Apr 1 00:00:00 ns3 named[3407]: client 178.32.36.37 25345 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 113613 Apr 1 00:06:28 ns3 named[3407]: client 5.135.134.141 26451 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 37086 Apr 2 00:10:44 ns3 named[3407]: client 108.59.9.97 49940 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 6388 Apr 1 17:22:07 ns3 named[3407]: client 91.102.165.40 41819 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 5703 Apr 3 01:28:24 ns3 named[3407]: client 178.32.62.37 57335 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 4513 Apr 3 01:41:15 ns3 named[3407]: client 69.60.109.62 32743 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 4009 Apr 1 13:29:08 ns3 named[3407]: client 85.180.66.207 28943 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 3410 Apr 1 21:18:15 ns3 named[3407]: client 5.135.134.141 38299 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 3225 Apr 3 02:07:16 ns3 named[3407]: client 46.105.191.93 31198 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 2505 Apr 1 00:01:18 ns3 named[3407]: limit responses to > 216.226.125.0/24 > 2504 Apr 1 00:01:06 ns3 named[3407]: stop limiting error responses to > 216.226.125.0/24 > 2280 Mar 31 22:55:43 ns3 named[3407]: client 5.135.134.141 18406 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 2231 Apr 2 00:10:44 ns3 named[3407]: client 108.59.9.97 53501 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 2178 Apr 1 15:49:56 ns3 named[3407]: client 178.32.244.171 45813 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1845 Apr 2 18:20:23 ns3 named[3407]: client 62.75.246.181 14716 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1704 Mar 31 15:20:48 ns3 named[3407]: client 176.31.24.240 35853 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1325 Apr 1 14:27:54 ns3 named[3407]: client 37.43.129.10 14898 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1049 Apr 1 18:45:47 ns3 named[3407]: client 178.32.62.37 34424 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1043 Apr 1 20:40:06 ns3 named[3407]: client 5.135.134.141 48733 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1033 Apr 1 13:29:08 ns3 named[3407]: client 85.180.66.207 43639 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > 1022 Apr 1 19:02:39 ns3 named[3407]: client 208.98.0.3 61182 > (isc.org): query (cache) 'isc.org/ANY/IN' denied > > These are all records where count was above 1000. > > -- > > William Brown > Core Hosted Application Technical Team and Messaging Team > Technology Services, WNYRIC, Erie 1 BOCES > (716) 821-7285 > > > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system. > > > ------------------------------ > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > End of dns-operations Digest, Vol 87, Issue 7 > ********************************************* >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
