Re: A large number of ANY query type queries
On Wed, Mar 28, 2012 at 04:08:33PM +0800, ShanyiWan w...@114.com.cn wrote a message of 104 lines which said: On the DNS server, a large number of ANY type queries occur,why? The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? Many technical details at https://www.dns-oarc.net/wiki/mitigating-dns-denial-of-service-attacks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A large number of ANY query type queries
On the DNS server, a large number of ANY type queries occur,why? The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? ShanyiWan___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On 28.03.12 16:08, ShanyiWan wrote: On the DNS server, a large number of ANY type queries occur,why? The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? yes you can. I would also wonder who sends such queries, maybe they ask... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On Wed, Mar 28, 2012 at 04:08:33PM +0800, ShanyiWan w...@114.com.cn wrote a message of 104 lines which said: On the DNS server, a large number of ANY type queries occur,why? Probably the reflection+amplification attack which goes on, specially in China, for several months. CNCERT knows about it so I suggest you contact them. https://lists.dns-oarc.net/pipermail/dns-operations/2011-December/007852.html http://dyn.com/active-incident-notification-recent-chinanetany-query-floods/ The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? You probaably should not. The source IP address is forged, it is the address of the victim. If you block it, the victim will not be able to talk to your name servers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On 28/03/2012 10:21, Stephane Bortzmeyer wrote: The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? You probaably should not. The source IP address is forged, it is the address of the victim. If you block it, the victim will not be able to talk to your name servers. As Stéphane says, do not block the address. It's probably better to rate-limit the address. You can do that on your server with iptables (Linux) or ipfw (*BSD) or on your router. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On Wed, Mar 28, 2012 at 10:20:40AM +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote a message of 18 lines which said: yes you can. But it is a bad idea, since the source IP addresses are almost certainly forged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On Wed, Mar 28, 2012 at 10:39:11AM +0200, Anand Buddhdev ana...@ripe.net wrote a message of 25 lines which said: It's probably better to rate-limit the address. You can do that on your server with iptables (Linux) or ipfw (*BSD) or on your router. A possible solution for Linux' Netfilter (test it: it may have strange effects when you have many different IP sources): iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP (Adjust the number to your case, doc is in iptables' man page) You may also limit this rule to the offending IP address(es) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of ANY query type queries
On the DNS server, a large number of ANY type queries occur,why? Probably the reflection+amplification attack which goes on, specially in China, for several months. CNCERT knows about it so I suggest you contact them. Note that there are multiple reflection+amplification attacks going on, basically all the time, and in plenty of cases the victim is not in China. For instance, *right now* I can see the following ongoing attacks: 8560| 212.227.135.196 | ONEANDONE-AS 11 Internet AG 13335 | 173.245.60.116 | CLOUDFLARENET - CloudFlare, Inc. 20021 | 67.59.167.140| LNH-INC - HostMySite 29791 | 72.251.250.98| VOXEL-DOT-NET - Voxel Dot Net, Inc. 32421 | 199.59.164.182 | BLCC - Black Lotus Communications 33748 | 76.191.42.160| DSCI - DSCI Corporation Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users