Today my server went non-responsive, and i had to reboot it.
After inspecting syslog, i found that in last 5 hours i have 100k+ dns
queries, all coming from same IP:
Mar 3 11:58:11 on-a named[1922]: client 62.109.4.89#12199: query
(cache) './NS/IN' denied
Mar 3 11:58:14 on-a named[1922]: client 62.109.4.89#29073: query
(cache) './NS/IN' denied
Mar 3 11:58:15 on-a named[1922]: client 62.109.4.89#10889: query
(cache) './NS/IN' denied
Mar 3 11:58:16 on-a named[1922]: client 62.109.4.89#35631: query
(cache) './NS/IN' denied
Mar 3 11:58:17 on-a named[1922]: client 62.109.4.89#52863: query
(cache) './NS/IN' denied
Mar 3 11:58:20 on-a named[1922]: client 62.109.4.89#12731: query
(cache) './NS/IN' denied
Mar 3 11:58:21 on-a named[1922]: client 62.109.4.89#6617: query
(cache) './NS/IN' denied
Mar 3 11:58:22 on-a named[1922]: client 62.109.4.89#34775: query
(cache) './NS/IN' denied
Mar 3 11:58:24 on-a named[1922]: client 62.109.4.89#50625: query
(cache) './NS/IN' denied
Mar 3 11:58:26 on-a named[1922]: client 62.109.4.89#5552: query
(cache) './NS/IN' denied
Mar 3 11:58:27 on-a named[1922]: client 62.109.4.89#41112: query
(cache) './NS/IN' denied
Mar 3 11:58:27 on-a named[1922]: client 62.109.4.89#58603: query
(cache) './NS/IN' denied
Mar 3 11:58:29 on-a named[1922]: client 62.109.4.89#46893: query
(cache) './NS/IN' denied
Mar 3 11:58:30 on-a named[1922]: client 62.109.4.89#11113: query
(cache) './NS/IN' denied
Mar 3 11:58:32 on-a named[1922]: client 62.109.4.89#41691: query
(cache) './NS/IN' denied
Mar 3 11:58:33 on-a named[1922]: client 62.109.4.89#20904: query
(cache) './NS/IN' denied
Mar 3 11:58:35 on-a named[1922]: client 62.109.4.89#16005: query
(cache) './NS/IN' denied
Now, should ossec detect this and block it on the fly or is this under
its radar?
My named.conf settings are:
allow-query { any; };
allow-recursion { localhost; };
forward first;
I am running ossec 1.6.1... Will upgrade to 2.0 - anything there that
will help in further similar situatuions?
cheers,
Jaka
