Re: 3,000+ DNS /./ANY/ANY requests - ...resent...

2004-02-15 Thread Matthew Seaman 
On Sat, Feb 14, 2004 at 09:03:14PM -0700, fbsdq wrote:
> Sorry about the earlier question, that was more or less just blank 
> 
> Hello,
>  About a week ago I started noticing 3,000 or more requests coming from  
> several ips for the following DNS queries:
> XX+/128.255.203.200/./ANY/ANY
> XX+/193.201.105.4/./ANY/ANY 
> 
>  Those are just two examples, but each IP - I have about 20 of them now 
> create 3,000 or more queries within several minutes.  All the queries are 
> exactly the same for ./ANY/ANY.any idea what those queries are? or what 
> they are trying to do?

Curious.  Are those IPs taken literally from your log files?  One of
them belongs to the University of Iowa and the other to belongs to
Millenium Communications S.A. in Poland.  Seems that some arbitrary
collection of machines are trying to do arbitrary lookups on your DNS
servers.

Have you configured your nameservers so that they will refuse to do
recursive queries for strangers?  There's various cache poisoning
tricks that can be done if your DNS server is both recursive and
authoritative for your own domains.  There's some good pages about how to
secure various versions of BIND at

http://www.boran.com/security/sp/bind_hardening8.html
http://www.boran.com/security/sp/bind9_20010430.html

Those are aimed mainly as Solaris users, so there's whole sections
about how to compile which you can just skip over. The 'take home'
point is how to use the 'allow-query', 'allow-transfer' and
'allow-recursion' configuration directives correctly.

>  Also how can I create an 'ipfw' rule to block an ip if XX amount of 
> connections come in within XX amount of minutes/seconds??  Right now I 
> manually block them, and yes those IP's try a day or so later to DNS bomb 
> (?) my machine. 

I think my approach to this would be to write a script that trawls
through /var/log/security or your DNS server logs picking out the
malefactors and then writes and inserts appropriate IPFW rules --
probably on an hourly basis.  Clever use of ipfw's 'set N' syntax will
make administering mixing in these machine generated rules together
with your other rules much easier.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

3,000+ DNS /./ANY/ANY requests - ...resent...

2004-02-14 Thread fbsdq 
Sorry about the earlier question, that was more or less just blank 

Hello,
 About a week ago I started noticing 3,000 or more requests coming from  
several ips for the following DNS queries:
XX+/128.255.203.200/./ANY/ANY
XX+/193.201.105.4/./ANY/ANY 

 Those are just two examples, but each IP - I have about 20 of them now 
create 3,000 or more queries within several minutes.  All the queries are 
exactly the same for ./ANY/ANY.any idea what those queries are? or what 
they are trying to do?
 Also how can I create an 'ipfw' rule to block an ip if XX amount of 
connections come in within XX amount of minutes/seconds??  Right now I 
manually block them, and yes those IP's try a day or so later to DNS bomb 
(?) my machine. 

Thanks 

---Peter---
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"