Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
This is a discussion on Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP. within the Bind Users forums, part of the DNS and Related Forums category; I'm presently dealing with a DNS server that's under attack, and is being made to spew out DNS ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-05-2004
|
|||
|
|||
Deflecting Bogus Queries -- Machine Under Attack, PLEASE HELP.
I'm presently dealing with a DNS server that's under attack, and is
being made to spew out DNS responses all over the internet, hundreds, maybe thousands a second. I cannot trace the source IP to log it or ban it because it's obviously forged, and there's enough DNS traffic on the wire that it's suitably masked. I'd like to know if I can just somehow set bind to DROP all queries for the domain in question. No response, no nothing, just silently ignore them. It won't make the attack stop, but at least it'll stop me from being used as a reflector. These domains don't even exist. I thought about redirecting an NS record for these subdomains elsewhere, but it wouldn't really matter since I think the attack is ignoring true DNS. Here's a quick log: Jul 30 19:36:18 cp named[6408]: client 24.158.63.9#53: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 205.152.37.254#42256: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 66.215.64.14#54971: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 216.158.48.2#1041: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 24.25.35.64#48487: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 205.188.118.92#33518: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 206.13.30.27#9904: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 167.206.3.232#32772: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 216.68.4.20#3408: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 209.244.4.171#32776: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spasm.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 67.32.118.46#32819: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.82.0.5#32770: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.39.224.5#44247: query: spaz.elephaunt.org IN A Jul 30 19:36:18 cp named[6408]: client 68.46.144.5#34740: query: spasm.elephaunt.org IN A Replies to this address are appreciated, although I will of course check the group. danm at ezzi dot net is also useful. 
|
Linear Mode
