Date: Sun, 15 Feb 2004 12:41:14 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: fbsdq <fbsdq@kuyarov.org> Cc: freebsd-questions@freebsd.org Subject: Re: 3,000+ DNS /./ANY/ANY requests - ...resent... Message-ID: <20040215124114.GA9482@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <200402150403.i1F43E9s003486@saexchange.toneisp.com> References: <200402150403.i1F43E9s003486@saexchange.toneisp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 14, 2004 at 09:03:14PM -0700, fbsdq wrote: > Sorry about the earlier question, that was more or less just blank....=20 >=20 > Hello, > About a week ago I started noticing 3,000 or more requests coming from = =20 > several ips for the following DNS queries: > XX+/128.255.203.200/./ANY/ANY > XX+/193.201.105.4/./ANY/ANY=20 >=20 > Those are just two examples, but each IP - I have about 20 of them now= =20 > create 3,000 or more queries within several minutes. All the queries are= =20 > exactly the same for ./ANY/ANY.....any idea what those queries are? or wh= at=20 > they are trying to do? Curious. Are those IPs taken literally from your log files? One of them belongs to the University of Iowa and the other to belongs to Millenium Communications S.A. in Poland. Seems that some arbitrary collection of machines are trying to do arbitrary lookups on your DNS servers. Have you configured your nameservers so that they will refuse to do recursive queries for strangers? There's various cache poisoning tricks that can be done if your DNS server is both recursive and authoritative for your own domains. There's some good pages about how to secure various versions of BIND at http://www.boran.com/security/sp/bind_hardening8.html http://www.boran.com/security/sp/bind9_20010430.html Those are aimed mainly as Solaris users, so there's whole sections about how to compile which you can just skip over. The 'take home' point is how to use the 'allow-query', 'allow-transfer' and 'allow-recursion' configuration directives correctly. > Also how can I create an 'ipfw' rule to block an ip if XX amount of=20 > connections come in within XX amount of minutes/seconds?? Right now I=20 > manually block them, and yes those IP's try a day or so later to DNS bomb= =20 > (?) my machine.=20 I think my approach to this would be to write a script that trawls through /var/log/security or your DNS server logs picking out the malefactors and then writes and inserts appropriate IPFW rules -- probably on an hourly basis. Clever use of ipfw's 'set N' syntax will make administering mixing in these machine generated rules together with your other rules much easier. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD4DBQFAL2jqdtESqEQa7a0RAiqhAJ96F+9uzrEFOwdxj9To0oDvwQFU4wCWIJIJ vkY+NbXp/n0mIKj3K8XdHA== =fugD -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040215124114.GA9482>