Date: Wed, 07 Jun 2000 09:10:29 -0400 From: Bob Johnson <bob@eng.ufl.edu> To: ejsilver49@hotmail.com Cc: questions@freebsd.org Subject: Re: DNS DOS attack? Probably not.... Message-ID: <393E49C5.8F4A3745@eng.ufl.edu>
next in thread | raw e-mail | index | archive | help
> Date: Tue, 06 Jun 2000 15:07:49 EDT > From: "first name" <ejsilver49@hotmail.com> > Subject: DNS DOS attack? Probably not.... > > I run a DNS server for a small ISP. In the middle of the night, our DNS > server gets repeated requests for lookups from a small number of users. One > user might generate 100 to 150 DNS requests each minute. Others might send > 50 to 75 requests per minute. > > There is a core group that does this every night. And an equal number of > people send the repeated DNS requests off and on. Most are forward lookups, > but about 25% are reverse lookups. > > Any idea what the hell they are doing? DOS? Cracking? Trying to keep the > connection nailed up? Why would any program need to do 100 DNS lookups in a > minute? Could I have set up something wrong? Can't imagine what. I'd guess that some of it is someone sending mail to a large list, delivering directly to the destination mail host rather than to the ISP's SMTP host. I suppose that could even explain the reverse lookups, although I'm not really comfortable with that claim. If they get a delivery error message mailed back to them, and they are using sendmail, their system would do a reverse lookup on the incoming connection. I don't like this as an explanation though, because it has other problems. There are a lot of other things they could be doing. They could have an automated web browser collecting information for them so that it is ready when they get up the next day. They could be hacking, running scans on various subnets (e.g. using nmap). I'd expect this to be true in at least some of the cases, and probably explains the reverse lookups. The ISP's contract with its users should allow them to terminate the contract in those cases. Do the lookups, by any chance, come in blocks of 254? Perhaps you or the ISP could use a monitoring tool such as snort (or look over some logs somewhere) and find out what ports these people are connecting to after they do the lookups. That would tell you what they are up to. -- Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?393E49C5.8F4A3745>