Re: [SLUG] bind attacks
Alex Samad wrote: Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query (cache) './A/IN' denied can somebody shed some light on what they think they can gain ? Perhaps it's a DDoS attack seeking to hide it's originating IP address. Probably best to blackhole responses for exterior requests for ".". -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] bind attacks
On Wed, Jun 25, 2008 at 10:23:36AM -0500, Tony Sceats wrote: > without knowing what your bind server is doing and what the anem they are > looking for it's hard to say.. Sorry my presumption that this was a norm of some sort. I have a dns server that host a public/internet facing domain. only lan clients can make recursive requests. > > eg, is it set up to allow normal DNS queries to only a certain range of > client IPs? or is it a private DNS server that's authoritative for an > internal domain that you don't want people external to query? > > This could be as simple as someone's laptop set to use your DNS server and > they go home and are suddenly coming from an external IP but still using > your DNS server, so any normal DNS queries are being sent to you first (eg, > www.google.com) nope = well not set by me atleast > > The log itself looks like it's just after an ordinary A record.. > > If your sure it's an attack it could be someone trying to find names in your > zone by trying a whole bunch of names a'la brute force, but that's pretty but they are not requesting anything in my domain ? > unlikely imho.. by doing that they might be interested in finding internal > IP ranges so they can play NAT tricks for firewall rule enumeration or > perhaps finding the IP of certain functional servers, eg names that indicate > what kind of network service an IP may be providing - eg, samba.example.comor > printserver.example.com - something that gives them a new attack vector.. > You could also be participating in a DDoS - because DNS is UDP, forged > source IPs can be used to start sending DNS replies from a whole bunch of > DNS servers to a target IP, thus using all the targets bandwidth Just in case I drop their address at the firewall now :) (only 2 - somewhere in china) > > On Wed, Jun 25, 2008 at 3:28 AM, Alex Samad <[EMAIL PROTECTED]> wrote: > > > Hi > > > > I have been seeing these in my logs > > > > Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query > > (cache) './A/IN' denied > > Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query > > (cache) './A/IN' denied > > Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query > > (cache) './A/IN' denied > > Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query > > (cache) './A/IN' denied > > > > > > I can understand 1 / day or maybe / hour, but I have a couple of pages > > full in side an hour. > > > > can somebody shed some light on what they think they can gain ? > > > > > > > > > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFIYgG9kZz88chpJ2MRAklTAJ9EglbfqgbT4zr9KBH2FUD9e6Ld3wCg7QVP > > Mh+7tVHJ4dLSPTS4LxvTs0c= > > =Pe1p > > -END PGP SIGNATURE- > > > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- "See, the irony is that what they need to do is get Syria to get Hezbollah to stop doing this shit, and it's over." - George W. Bush 06/16/2006 St. Petersburg, Russia to Tony Blair at the G8 summit signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] bind attacks
without knowing what your bind server is doing and what the anem they are looking for it's hard to say.. eg, is it set up to allow normal DNS queries to only a certain range of client IPs? or is it a private DNS server that's authoritative for an internal domain that you don't want people external to query? This could be as simple as someone's laptop set to use your DNS server and they go home and are suddenly coming from an external IP but still using your DNS server, so any normal DNS queries are being sent to you first (eg, www.google.com) The log itself looks like it's just after an ordinary A record.. If your sure it's an attack it could be someone trying to find names in your zone by trying a whole bunch of names a'la brute force, but that's pretty unlikely imho.. by doing that they might be interested in finding internal IP ranges so they can play NAT tricks for firewall rule enumeration or perhaps finding the IP of certain functional servers, eg names that indicate what kind of network service an IP may be providing - eg, samba.example.comor printserver.example.com - something that gives them a new attack vector.. You could also be participating in a DDoS - because DNS is UDP, forged source IPs can be used to start sending DNS replies from a whole bunch of DNS servers to a target IP, thus using all the targets bandwidth On Wed, Jun 25, 2008 at 3:28 AM, Alex Samad <[EMAIL PROTECTED]> wrote: > Hi > > I have been seeing these in my logs > > Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query > (cache) './A/IN' denied > Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query > (cache) './A/IN' denied > Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query > (cache) './A/IN' denied > Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query > (cache) './A/IN' denied > > > I can understand 1 / day or maybe / hour, but I have a couple of pages > full in side an hour. > > can somebody shed some light on what they think they can gain ? > > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIYgG9kZz88chpJ2MRAklTAJ9EglbfqgbT4zr9KBH2FUD9e6Ld3wCg7QVP > Mh+7tVHJ4dLSPTS4LxvTs0c= > =Pe1p > -END PGP SIGNATURE- > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] bind attacks
Hi I have been seeing these in my logs Jun 25 15:19:45 hufpuf named[3574]: client 59.151.50.248#64821: query (cache) './A/IN' denied Jun 25 15:19:48 hufpuf named[3574]: client 59.151.50.247#63595: query (cache) './A/IN' denied Jun 25 15:20:25 hufpuf named[3574]: client 59.151.50.248#10848: query (cache) './A/IN' denied Jun 25 15:20:28 hufpuf named[3574]: client 59.151.50.247#9753: query (cache) './A/IN' denied I can understand 1 / day or maybe / hour, but I have a couple of pages full in side an hour. can somebody shed some light on what they think they can gain ? signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
