Re: What are these entries in the log file - query: . IN NS +?
Sorry remembered wrong, it's not free. But not that expensive either. Yeah now I remember, I browsed for a free firewall for server platform for days, but didn't find any. But have been very happy with the Net Firewall. Jukka Tony Toews [MVP] tto...@telusplanet.net kirjoitti viestissä:p3evn4t6r9spme6ardiqbohjvlt99vt...@4ax.com... Jukka Pakkanen jukka.pakka...@qnet.fi wrote: There are many free third party firewall packages that can be run in Window= s = 2003 Server, we use the Net Firewall. Do you have a URL? I found http://www.ntkernel.com/wp.php?id=18 but it's not free. I'm also going to ask my fellow MVPs as well. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fl82o4hqjudbc65bkfk08ilg3lmk4hq...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: FWIW In the last 28 hours I have the following alleged IP addresses and coun t in my log file. Real lookups 1665 204.15.80.50 4 3.217.28.226 1144 4.57.246.146 9541 6.9.16.171 577 63.217.28.2261463 64.57.246.14635163 65.173.218.961 67.192.144.0 1488 7.192.144.0 12054 76.9.16.171 1033 FWIW in the last 26 hours. Real Lookups 1673 0.86.80.9814051 So who isn't doing even loose URPF? 0/8 is totally bogus and is a attack directed at you. 4.57.246.123 4425 4.57.246.146 22719 6.9.16.171419 64.57.246.123 4885 64.57.246.146 25023 67.192.144.0 825 7.192.144.0 696 70.86.80.98 9317 76.9.16.171 295 So some have disappeared and new ones added. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Tony Toews [MVP] tto...@telusplanet.net kirjoitti viestissä:p2vsn4leohtc8dm4a7m8rt4g6d4kem2...@4ax.com... Noel Butler noel.but...@ausics.net wrote: Surely windows can block access to an inbound IP request from some IP to local udp port 53 ? Not the firewall software built into Windows 2003 Server. If not, you know what my next reply will be don't you :) chuckleYeah, well switching to Linux ain't gonna happen. My friend and I have no experience with Linux and no desire to learn it. There are many free third party firewall packages that can be run in Windows 2003 Server, we use the Net Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
On Tue, Jan 27, 2009 at 11:50:51AM +0100, Jan Buchholz 96de...@googlemail.com wrote a message of 38 lines which said: i think disable queries at the root-zone for not internal networks is another answer for this problem . Good practices about this attack (with specific BIND advice) is already there: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Hallo, i think disable queries at the root-zone for not internal networks is another answer for this problem . --- Jan 2009/1/27, Jukka Pakkanen jukka.pakka...@qnet.fi: Tony Toews [MVP] tto...@telusplanet.net kirjoitti viestissä:p2vsn4leohtc8dm4a7m8rt4g6d4kem2...@4ax.com... Noel Butler noel.but...@ausics.net wrote: Surely windows can block access to an inbound IP request from some IP to local udp port 53 ? Not the firewall software built into Windows 2003 Server. If not, you know what my next reply will be don't you :) chuckleYeah, well switching to Linux ain't gonna happen. My friend and I have no experience with Linux and no desire to learn it. There are many free third party firewall packages that can be run in Windows 2003 Server, we use the Net Firewall. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Tony Toews [MVP] tto...@telusplanet.net wrote: 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS + 26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS + 26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS + 26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: . IN NS + FWIW In the last 28 hours I have the following alleged IP addresses and count in my log file. Real lookups1665 204.15.80.504 3.217.28.2261144 4.57.246.1469541 6.9.16.171 577 63.217.28.226 1463 64.57.246.146 35163 65.173.218.96 1 67.192.144.01488 7.192.144.0 12054 76.9.16.171 1033 Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Jukka Pakkanen jukka.pakka...@qnet.fi wrote: There are many free third party firewall packages that can be run in Window= s = 2003 Server, we use the Net Firewall. Do you have a URL? I found http://www.ntkernel.com/wp.php?id=18 but it's not free. I'm also going to ask my fellow MVPs as well. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What are these entries in the log file - query: . IN NS +?
Folks Warning - I know just enough about Bind to be dangerous. Which is why I'm asking. I just noticed that our small scale Bind server as a lot of the following lines. 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS + 26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS + 26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS + 26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: . IN NS + As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these lines before. 1) What am I doing wrong? If anything. 2) What are they? Thanks, Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
To: comp-protocols-dns-b...@isc.org From: Tony Toews [MVP] tto...@telusplanet.net Subject: What are these entries in the log file - query: . IN NS +? Date: Mon, 26 Jan 2009 21:45:18 GMT Folks Warning - I know just enough about Bind to be dangerous. Which is why I'm asking. I just noticed that our small scale Bind server as a lot of the following lines. 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS + 26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: query: . IN NS + 26-Jan-2009 14:29:00.691 client 63.217.28.226#35549: query: . IN NS + 26-Jan-2009 14:29:26.332 client 76.9.16.171#19817: query: . IN NS + As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these lines before. 1) What am I doing wrong? If anything. You are doing nothing wrong. 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. Would you be so kind as to supply links relevant to Windows 2003 Server? Thanks, Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Noel Butler noel.but...@ausics.net wrote: This is not your config, so long as you are not answering thats fine. How do I know I'm not answering those? It's a forged request asking you to participate in a DDoS thats been going on since last Wedensday, it's best if you firewall off your replies to those IP's so you don't participate in harming the innocent victims. I doubt the current firewall, the one built into Windows 2003 Server, is capable of blocking specific IP addresses but I'll check. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Hi Tony, On Tue, 2009-01-27 at 09:35, Tony Toews [MVP] wrote: Noel Butler noel.but...@ausics.net wrote: This is not your config, so long as you are not answering thats fine. How do I know I'm not answering those? Since your on win, I can't help you, but whatever your packet monitor is, see if you are replying to their requests, even with a REFUSED response. It's a forged request asking you to participate in a DDoS thats been going on since last Wedensday, it's best if you firewall off your replies to those IP's so you don't participate in harming the innocent victims. I doubt the current firewall, the one built into Windows 2003 Server, is capable of blocking specific IP addresses but I'll check. In that case maybe on your router? Apply a inbound request from them on port 53 udp only, that way you wont affect real traffic (hopefully) it does seemed to have died off dramatically here now. Cheers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message fvhsn493t2pb75c93nm1s14lkttiu0i...@4ax.com, Tony Toews [MVP] wri tes: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. http://www.ietf.org/rfc/rfc3704.txt Would you be so k ind as to supply links relevant to Windows 2003 Server? Thanks, Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In article gllha9$2ot...@sf1.isc.org, Tony Toews [MVP] tto...@telusplanet.net wrote: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. Would you be so kind as to supply links relevant to Windows 2003 Server? BCP38 is not something you implement, it's something that has to be implemented by the ISPs hosting the attacking systems. They have to block forged source IPs from their customers. Since there are many ISPs out there that are too lazy, incompetent, or just don't care, where probably never going to be rid of these kinds of attacks. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In article gllmur$2sh...@sf1.isc.org, Mark Andrews mark_andr...@isc.org wrote: In message fvhsn493t2pb75c93nm1s14lkttiu0i...@4ax.com, Tony Toews [MVP] wri tes: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. http://www.ietf.org/rfc/rfc3704.txt That's BCP84. But in either case, implementing it doesn't protect you from attacks like this, it only prevents you from being the source of attacks on others. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message barmar-3c4a47.20101026012...@mara100-84.onlink.net, Barry Margolin writes: In article gllha9$2ot...@sf1.isc.org, Tony Toews [MVP] tto...@telusplanet.net wrote: Gregory Hicks ghi...@hicks-net.net wrote: 2) What are they? They look like the DDoS being discussed on the NANOG list. Have you implemented BCP38? If not, why not... I have no idea what BCP38 is and how I can implement that. Would you be so kind as to supply links relevant to Windows 2003 Server? BCP38 is not something you implement, it's something that has to be implemented by the ISPs hosting the attacking systems. They have to block forged source IPs from their customers. BCP 38 is something everyone should implement. A site shouldn't allow packets to leave with bogus source addresses. That being said there is no real expectation that home users will be implementing BCP 38 so it falls back to the ISP's implement to catch the bad packets when they reach their network. Since there are many ISPs out there that are too lazy, incompetent, or just don't care, where probably never going to be rid of these kinds of attacks. Agreed. You can however do your part by choosing ISP/IAP's that deploy BCP 38 over ones that don't. Add it to the selection criteria for a ISP/IAP. Ones that do are probably more clueful overall and you will have less problems in the end. Mark -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
In message ulssn453ohc7rj6lobgkje0g0prvqd3...@4ax.com, Tony Toews [MVP] wri tes: Tony Toews [MVP] tto...@telusplanet.net wrote: How do I know I'm not answering those? Since your on win, I can't help you, but whatever your packet monitor is, see if you are replying to their requests, even with a REFUSED response. It looks like the server is replying with a refused statement. The following are the two lines that WireShark captured. Standard query NS Root Standard query response, refused Good. The attacker is trying to you as a amplifier and that is not happening. That is all one can reasonably expect. The next thing you should do is ask your ISP to chase them back to their source and if they are local to the ISP block them by implementing BCP 38 other wise to pass on the request to the peers they are getting them from. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Noel Butler noel.but...@ausics.net wrote: Surely windows can block access to an inbound IP request from some IP to local udp port 53 ? Not the firewall software built into Windows 2003 Server. If not, you know what my next reply will be don't you :) chuckleYeah, well switching to Linux ain't gonna happen. My friend and I have no experience with Linux and no desire to learn it. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
On Tue, 2009-01-27 at 13:16, Tony Toews [MVP] wrote: Noel Butler noel.but...@ausics.net wrote: Surely windows can block access to an inbound IP request from some IP to local udp port 53 ? Not the firewall software built into Windows 2003 Server. Gawd... If not, you know what my next reply will be don't you :) chuckleYeah, well switching to Linux ain't gonna happen. My friend and I have no experience with Linux and no desire to learn it. LOL *whistles innocently* Tony ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What are these entries in the log file - query: . IN NS +?
Tony Toews [MVP] tto...@telusplanet.net wrote: As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these lines before. When I analyzed todays log I got three IP address. 204.15.80.50 might be smtp9.soma.ironport.com 63.217.28.226 might be Network solutions according to the below SlashDot article. 76.9.16.171 is mentioned at http://isc.sans.org/diary.html?storyid=5713 Ah, I think I see what is happening here. Searching at the below article for 63.217.28.226 http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply stating: The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods. They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address. Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users