Re: outgoing-traffic

[Paul Kosinski]

I thought port 0 was never valid as either source or destination.


On Wed, 27 Jul 2016 11:22:06 +0300
"Ejaz" <me...@cyberia.net.sa> wrote:

> 
> Thanks you. 
> 
> The traffic will go to router which is handled by the Network dept.
> The fear  that may router can crash   if we  start enabling the
> packet capture since it is layer 7. 
> 
> Is advisable,  if we  deny outbound UDP port 0  from the DNS servers,
> after enabling firewall.
> 
> 
> Ejaz 
> 
> -Original Message-
> From: S Carr [mailto:sjc...@gmail.com] 
> Sent: Wednesday, July 27, 2016 10:51 AM
> To: Ejaz <me...@cyberia.net.sa>
> Cc: bind-users <bind-users@lists.isc.org>
> Subject: Re: outgoing-traffic
> 
> On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote:
> > Thanks for all.
> >
> > But the strange thing is that if the request comes on 53 port then
> > it should go only from 53 is it?? Why goes out from 0, any clue
> > would be highly appreciate.
> >
> > Regards
> > Ejaz
> 
> Where's the packet capture to review?
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Matus UHLAR - fantomas]

On 27 July 2016 at 15:10, Matus UHLAR - fantomas  wrote:

however, if no responses will come from his server, it's more likely that
the queries will stop.


On 27.07.16 15:19, S Carr wrote:

If you look at the capture there doesn't appear to be any responses
being sent for the ANY queries to start with, yet the queries keep
coming.


you seem to be the only one who got the capture (in a private mail).
(and no, I'm not interested in seeing it anymore, I trust you).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 27 July 2016 at 15:10, Matus UHLAR - fantomas  wrote:
> however, if no responses will come from his server, it's more likely that
> the queries will stop.

If you look at the capture there doesn't appear to be any responses
being sent for the ANY queries to start with, yet the queries keep
coming.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

> Denying the request isn't going to solve anything in this case, they are 
> still going to repeatedly ask for it and the traffic has already hit your 
> system before ANY queries would be denied.

Agreed but at least it minimize the problem,  as if request is 50 bytes and 
then  response also 50 bytes not more than that??


Ejaz 

-Original Message-
From: S Carr [mailto:sjc...@gmail.com] 
Sent: Wednesday, July 27, 2016 4:58 PM
To: Ejaz <me...@cyberia.net.sa>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 14:44, Ejaz <me...@cyberia.net.sa> wrote:
> Such  as, if someone is sending  ANY request , by default it should be denied 
> when users requests  for it..

Denying the request isn't going to solve anything in this case, they are still 
going to repeatedly ask for it and the traffic has already hit your system 
before ANY queries would be denied.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Matus UHLAR - fantomas]

On 27 July 2016 at 14:44, Ejaz  wrote:

Such  as, if someone is sending  ANY request , by default it should be denied 
when users requests  for it..


On 27.07.16 14:57, S Carr wrote:

Denying the request isn't going to solve anything in this case, they
are still going to repeatedly ask for it and the traffic has already
hit your system before ANY queries would be denied.


however, if no responses will come from his server, it's more likely that
the queries will stop.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Oh I am sorry for my misunderstanding..  

I was thinking 9.1.1 not 9.11. ok that is fine.. will upgrade it to 911 and
I will see if it control.
Thank you so much for all. 

Ejaz 

-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net] 
Sent: Wednesday, July 27, 2016 4:58 PM
To: Ejaz <me...@cyberia.net.sa>
Cc: 'bind-users' <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic



Am 27.07.2016 um 15:55 schrieb Ejaz:
> You mean I need to downgrade my bind to 9.11, as my current version is 
> "*BIND 9.9.2-P1"*

in which country is 11 smaller than 9
9.11 is the *next* upcoming version

> -Original Message-
> From: Tony Finch [mailto:d...@dotat.at]
> Sent: Wednesday, July 27, 2016 4:49 PM
> To: Ejaz <me...@cyberia.net.sa>
> Cc: 'S Carr' <sjc...@gmail.com>; 'bind-users' 
> <bind-users@lists.isc.org>
> Subject: RE: outgoing-traffic
>
> Ejaz <me...@cyberia.net.sa <mailto:me...@cyberia.net.sa>> wrote:
>
>> Such as, if someone is sending ANY request , by default it should be 
>> denied when users requests for it..
>
> BIND 9.11 will have a minimal-any option.
>
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
> https://lists.isc.org/pipermail/bind-users/2016-July/097226.html


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 27 July 2016 at 14:44, Ejaz  wrote:
> Such  as, if someone is sending  ANY request , by default it should be denied 
> when users requests  for it..

Denying the request isn't going to solve anything in this case, they
are still going to repeatedly ask for it and the traffic has already
hit your system before ANY queries would be denied.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Hello,

 

You mean I need to downgrade my bind to 9.11, as my current version is "BIND
9.9.2-P1"

 

 

Ejaz 

 

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Wednesday, July 27, 2016 4:49 PM
To: Ejaz <me...@cyberia.net.sa>
Cc: 'S Carr' <sjc...@gmail.com>; 'bind-users' <bind-users@lists.isc.org>
Subject: RE: outgoing-traffic

 

Ejaz < <mailto:me...@cyberia.net.sa> me...@cyberia.net.sa> wrote:

> 

> Such as, if someone is sending ANY request , by default it should be 

> denied when users requests for it..

 

BIND 9.11 will have a minimal-any option.

 

 <https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any>
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

 

 <https://lists.isc.org/pipermail/bind-users/2016-July/097226.html>
https://lists.isc.org/pipermail/bind-users/2016-July/097226.html

 

Tony.

--

f.anthony.n.finch  < <mailto:d...@dotat.at> d...@dotat.at>
<http://dotat.at/> http://dotat.at/  -  I xn--zr8h punycode Southeast
Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or
southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor,
occasionally good.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Tony Finch]

Ejaz  wrote:
>
> Such as, if someone is sending ANY request , by default it should be
> denied when users requests for it..

BIND 9.11 will have a minimal-any option.

https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

https://lists.isc.org/pipermail/bind-users/2016-July/097226.html

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Southeast Thames, Dover, Wight, Portland, Plymouth, North Biscay: Westerly or
southwesterly 5 or 6. Moderate. Occasional drizzle. Moderate or poor,
occasionally good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Really I appreciate sparing such long time to trace out the problem and sending 
such detail email.

 Is there any other security measure from the DNS level to control such 
attacks.  Instead of blocking IP which is either from my linux machine or from 
my network side.

Such  as, if someone is sending  ANY request , by default it should be denied 
when users requests  for it..  


Ejaz 

-Original Message-
From: S Carr [mailto:sjc...@gmail.com] 
Sent: Wednesday, July 27, 2016 4:19 PM
To: Ejaz <me...@cyberia.net.sa>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 13:33, Ejaz <me...@cyberia.net.sa> wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.

So the 3 IPs (212.118.122.99-101) are continuously sending ANY requests for 
cpsc.gov

No responses I can see are going from port 0, they are coming in on 53 and BIND 
is responding on a random high port

The subnet 212.118.122.0/24 appears to be mapped to your company's DNS for 
reverse lookups and .99 shows that it is supposedly the system 
mail.electro.com.sa (though the forward lookup does not map to the same as the 
reverse).

It also looks like you are providing a recursive DNS service for these IP 
addresses, in frame 118047 you respond to the client with an NXDOMAIN response 
as the query they asked has a random "\r" on it. Are you meant to be providing 
recursive DNS for these clients? The random "\r" looks to me like something has 
been scripted (albeit poorly) to run against your systems.

As this is probably one of your customers have you tried contacting them to 
find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected by some 
malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide another layer 
of filtering and block the requests locally, or ask your network team to block 
those IPs, then wait for the customer to shout.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 27 July 2016 at 13:33, Ejaz  wrote:
> Thank you so much Abdul for you instant support.
>
> As requested, Find the attached.

So the 3 IPs (212.118.122.99-101) are continuously sending ANY
requests for cpsc.gov

No responses I can see are going from port 0, they are coming in on 53
and BIND is responding on a random high port

The subnet 212.118.122.0/24 appears to be mapped to your company's DNS
for reverse lookups and .99 shows that it is supposedly the system
mail.electro.com.sa (though the forward lookup does not map to the
same as the reverse).

It also looks like you are providing a recursive DNS service for these
IP addresses, in frame 118047 you respond to the client with an
NXDOMAIN response as the query they asked has a random "\r" on it. Are
you meant to be providing recursive DNS for these clients? The random
"\r" looks to me like something has been scripted (albeit poorly) to
run against your systems.

As this is probably one of your customers have you tried contacting
them to find out why their systems are sending all of these requests?
It could be simple misconfiguration or they could have been affected
by some malware that's generating DNS noise/attacks.

You could look at putting iptables on your Linux box to provide
another layer of filtering and block the requests locally, or ask your
network team to block those IPs, then wait for the customer to shout.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Abdul Khader]

Did not find any attachment.

Ejaz <me...@cyberia.net.sa> wrote:

>Thank you so much Abdul for you instant support. 
>
>As requested, Find the attached.  
>
>
>Ejaz 
>-Original Message-
>From: akha...@ies.etisalat.ae [mailto:akha...@ies.etisalat.ae] 
>Sent: Wednesday, July 27, 2016 3:04 PM
>To: Ejaz <me...@cyberia.net.sa>; 'S Carr' <sjc...@gmail.com>
>Cc: bind-users@lists.isc.org
>Subject: RE: outgoing-traffic
>
>You can use tcpdump on your DNS server to take the trace.
>
>Command would be like below.
>
>tcpdump -i any port 53 -w trace.pcap
>
>You can share trace.pcap with us.
>
>Regards
>Abdul Khader
>
>Ejaz <me...@cyberia.net.sa> wrote:
>
>>
>>Thanks you. 
>>
>>The traffic will go to router which is handled by the Network dept. The fear  
>>that may router can crash   if we  start enabling the packet capture since it 
>>is layer 7. 
>>
>>Is advisable,  if we  deny outbound UDP port 0  from the DNS servers, after 
>>enabling firewall.
>>
>>
>>Ejaz
>>
>>-Original Message-
>>From: S Carr [mailto:sjc...@gmail.com]
>>Sent: Wednesday, July 27, 2016 10:51 AM
>>To: Ejaz <me...@cyberia.net.sa>
>>Cc: bind-users <bind-users@lists.isc.org>
>>Subject: Re: outgoing-traffic
>>
>>On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote:
>>> Thanks for all.
>>>
>>> But the strange thing is that if the request comes on 53 port then it 
>>> should go only from 53 is it?? Why goes out from 0, any clue would be 
>>> highly appreciate.
>>>
>>> Regards
>>> Ejaz
>>
>>Where's the packet capture to review?
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Abdul Khader]

You can use tcpdump on your DNS server to take the trace.

Command would be like below.

tcpdump -i any port 53 -w trace.pcap

You can share trace.pcap with us.

Regards
Abdul Khader

Ejaz <me...@cyberia.net.sa> wrote:

>
>Thanks you. 
>
>The traffic will go to router which is handled by the Network dept. The fear  
>that may router can crash   if we  start enabling the packet capture since it 
>is layer 7. 
>
>Is advisable,  if we  deny outbound UDP port 0  from the DNS servers, after 
>enabling firewall.
>
>
>Ejaz 
>
>-Original Message-
>From: S Carr [mailto:sjc...@gmail.com] 
>Sent: Wednesday, July 27, 2016 10:51 AM
>To: Ejaz <me...@cyberia.net.sa>
>Cc: bind-users <bind-users@lists.isc.org>
>Subject: Re: outgoing-traffic
>
>On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote:
>> Thanks for all.
>>
>> But the strange thing is that if the request comes on 53 port then it 
>> should go only from 53 is it?? Why goes out from 0, any clue would be 
>> highly appreciate.
>>
>> Regards
>> Ejaz
>
>Where's the packet capture to review?
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Thanks you. 

The traffic will go to router which is handled by the Network dept. The fear  
that may router can crash   if we  start enabling the packet capture since it 
is layer 7. 

Is advisable,  if we  deny outbound UDP port 0  from the DNS servers, after 
enabling firewall.


Ejaz 

-Original Message-
From: S Carr [mailto:sjc...@gmail.com] 
Sent: Wednesday, July 27, 2016 10:51 AM
To: Ejaz <me...@cyberia.net.sa>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic

On 27 July 2016 at 08:41, Ejaz <me...@cyberia.net.sa> wrote:
> Thanks for all.
>
> But the strange thing is that if the request comes on 53 port then it 
> should go only from 53 is it?? Why goes out from 0, any clue would be 
> highly appreciate.
>
> Regards
> Ejaz

Where's the packet capture to review?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 27 July 2016 at 08:41, Ejaz  wrote:
> Thanks for all.
>
> But the strange thing is that if the request comes on 53 port then it should
> go only from 53 is it?? Why goes out from 0, any clue would be highly
> appreciate.
>
> Regards
> Ejaz

Where's the packet capture to review?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Thanks for all. 

But the strange thing is that if the request comes on 53 port then it should
go only from 53 is it?? Why goes out from 0, any clue would be highly
appreciate.

Regards
Ejaz 




-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Tuesday, July 26, 2016 4:12 PM
To: S Carr <sjc...@gmail.com>
Cc: Ejaz <me...@cyberia.net.sa>; bind-users <bind-users@lists.isc.org>
Subject: Re: outgoing-traffic

S Carr <sjc...@gmail.com> wrote:
>
> You might want to check whether the requests are legitimate before 
> completely blocking them, rate limiting would be a better option.

Remember this is TCP traffic.

RRL is designed to deal with spoofed UDP traffic. It can actually make
non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP is
very easy to saturate.

You might find it helps to avoid truncated responses, e.g. by turning on the
minimal-responses option. (See also minimal-any in BIND 9.11)

Tony.
--
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8
until later in north. Moderate or rough. Occasional rain, fog patches.
Moderate or good, occasionally very poor.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Mark Andrews]

In message , Tony Finch 
writes:
> S Carr  wrote:
> >
> > You might want to check whether the requests are legitimate before
> > completely blocking them, rate limiting would be a better option.
> 
> Remember this is TCP traffic.
> 
> RRL is designed to deal with spoofed UDP traffic. It can actually make
> non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP
> is very easy to saturate.
> 
> You might find it helps to avoid truncated responses, e.g. by turning on
> the minimal-responses option. (See also minimal-any in BIND 9.11)

We need to go back to basics.  What question is being ask and is
there a sensible response being returned?  Recursive servers don't
keep asking questions over and over for no reason and this sounds
like that is happening.

> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
> Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8
> until later in north. Moderate or rough. Occasional rain, fog patches.
> Moderate or good, occasionally very poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Tony Finch]

S Carr  wrote:
>
> You might want to check whether the requests are legitimate before
> completely blocking them, rate limiting would be a better option.

Remember this is TCP traffic.

RRL is designed to deal with spoofed UDP traffic. It can actually make
non-spoofed floods worse, because RRL pushes UDP traffic to TCP, and TCP
is very easy to saturate.

You might find it helps to avoid truncated responses, e.g. by turning on
the minimal-responses option. (See also minimal-any in BIND 9.11)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Southeast Iceland: Northerly or northwesterly 5 to 7, occasionally gale 8
until later in north. Moderate or rough. Occasional rain, fog patches.
Moderate or good, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[G.W. Haywood]

Hi there,

On Tue, 26 Jul 2016, Ejaz wrote:


There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110 ...


Are you able to let us see your bind configuration?

This might be IP spoofing, an attempted a DOS attack on the IP.

Is there any reason why that IP should be allowed to query your
nameserver?  If not, then you should change your configuration so
that only those clients who are expected to query the server are
allowed to do so.  The 'acl', 'allow-query' and 'allow-recursion'
directives for the BIND configuration file enable you to do this.

What operating system are you running on your server?  If all else
fails, in most cases it will be trivial to implement a local firewall
rule or two - at least as a temporary measure until the, er, root of
the problem is discovered and solved.  Consider the TARPIT target. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

 

Thanks for all the comments. 

 

One more thing I can control it through rate limit or block whole but the
same thing happened to another network will be problem ?? 

 

See the packet capture from the network device the outgoing traffic passing
from 0 port instead of 53.  Why is that any clue.  I mean bind application
should not all other port instead 53??

 

 

 

Gi0/2 212.119.64.2Gi0/1 212.118.122.99  11  
362K

Gi0/2 212.119.64.3Gi0/1 212.118.122.99  11  
66K

Gi0/2 212.119.64.2Gi0/1 212.118.122.100 11  
375K

Gi0/2 212.119.64.3Gi0/1 212.118.122.100 11  
68K

Gi0/2 212.119.64.2Gi0/1 212.118.122.101 11  
362K

Gi0/2 212.119.64.3Gi0/1 212.118.122.101 11  
66K

 

Thanks in advance for your support. 

 

Ejaz 

 

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Tuesday, July 26, 2016 11:54 AM
To: Ejaz <me...@cyberia.net.sa>
Cc: 'Abdul Khader' <akha...@ies.etisalat.ae>; bind-users@lists.isc.org
Subject: RE: outgoing-traffic

 

Ejaz < <mailto:me...@cyberia.net.sa> me...@cyberia.net.sa> wrote:

> 

> I am not using iptable  firewall from my redhat Linux box,  all 

> traffic manged by network team..

 

Well then, you should co-operate with them to fix the problem.

 

You might find that it helps to put the following in the options{} section
of named.conf, but I'm not sure if it will be effective against a TCP flood
attack.

 

blackhole { 212.107.121.110; };

 

Tony.

--

f.anthony.n.finch  < <mailto:d...@dotat.at> d...@dotat.at>
<http://dotat.at/> http://dotat.at/  -  I xn--zr8h punycode Forties,
Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight,
occasionally moderate at first. Rain or showers. Good, occasionally
moderate.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[S Carr]

On 26 July 2016 at 09:53, Tony Finch  wrote:
> Ejaz  wrote:
>>
>> I am not using iptable  firewall from my redhat Linux box,  all traffic
>> manged by network team..

You might want to check whether the requests are legitimate before
completely blocking them, rate limiting would be a better option.

$ dig +noall +answer -x 212.107.121.110
110.121.107.212.in-addr.arpa. 3531 INPTRmail1.alireza.com.sa.

That IP address looks like it belongs to a mail server, and the
alireza.com.sa zone is authoritative on your company's name servers,
so it could be they have simply misconfigured their mailserver.

$ dig +noall +answer alireza.com.sa NS
alireza.com.sa.3468INNSns2.cyberia.net.sa.
alireza.com.sa.3468INNSns1.cyberia.net.sa.

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Tony Finch]

Ejaz  wrote:
>
> I am not using iptable  firewall from my redhat Linux box,  all traffic
> manged by network team..

Well then, you should co-operate with them to fix the problem.

You might find that it helps to put the following in the options{} section
of named.conf, but I'm not sure if it will be effective against a TCP
flood attack.

blackhole { 212.107.121.110; };

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Forties, Cromarty, Forth, Tyne, Dogger: West or southwest 4 or 5. Slight,
occasionally moderate at first. Rain or showers. Good, occasionally moderate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

Ok that's fine. But what is  the reason why it is sending such huge traffic
towards particluare IPs,  

Ejaz 

-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net] 
Sent: Tuesday, July 26, 2016 11:36 AM
To: Ejaz <me...@cyberia.net.sa>; 'Abdul Khader' <akha...@ies.etisalat.ae>;
bind-users@lists.isc.org
Subject: Re: outgoing-traffic



Am 26.07.2016 um 10:30 schrieb Ejaz:
> I am not using iptable  firewall from my redhat Linux box,  all 
> traffic manged by network team..

what you currently do don't matter- you have a problem and got a solution
(which should be used on any host besides response-rate-limiting independent
if there is a firewall in fron - depth of defense)

> *From:*bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf 
> Of *Abdul Khader
> *Sent:* Tuesday, July 26, 2016 11:21 AM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: outgoing-traffic
>
> You can use iptables to rate-limit the IP.
>
>
> On 7/26/2016 12:11 PM, Ejaz wrote:
>
>
>
> All.
>
>
>
> There is huge traffic coming out from my DNS server since yesterday
> and flooding the IP 212.107.121.110, though I have increased the
> limitation of tcp-clients in named.conf but still the issue.  any
> help would be highly appreciate.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: outgoing-traffic

[Ejaz]

 

I am not using iptable  firewall from my redhat Linux box,  all traffic
manged by network team.. 

 

Ejaz 

 

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Abdul Khader
Sent: Tuesday, July 26, 2016 11:21 AM
To: bind-users@lists.isc.org
Subject: Re: outgoing-traffic

 

You can use iptables to rate-limit the IP.

 

On 7/26/2016 12:11 PM, Ejaz wrote:

 

All. 

 

There is huge traffic coming out from my DNS server since yesterday and
flooding the IP 212.107.121.110, though I have increased the limitation of
tcp-clients in named.conf but still the issue.  any help would be highly
appreciate.

 

 

My bind version is 

 

[root@ns10 ~]# named -v

BIND 9.9.2-P1

 

 

 

When checking  there are several entries as below. 

 

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP
clients: quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP
clients: quota reached

Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP
clients: quota reached

Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP
clients: quota reached

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP
clients: quota reached

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
 
bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: outgoing-traffic

[Abdul Khader]

You can use iptables to rate-limit the IP.



On 7/26/2016 12:11 PM, Ejaz wrote:


All.

There is huge traffic coming out from my DNS server since yesterday 
and flooding the IP 212.107.121.110, though I have increased the 
limitation of tcp-clients in named.conf but still the issue.  any help 
would be highly appreciate.


My bind version is

[root@ns10 ~]# named -v

BIND 9.9.2-P1

When checking  there are several entries as below.

Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more 
TCP clients: quota reached


quota reached

Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more 
TCP clients: quota reached


Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more 
TCP clients: quota reached


Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more 
TCP clients: quota reached


Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more 
TCP clients: quota reached


Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more 
TCP clients: quota reached


Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more 
TCP clients: quota reached


Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users