Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Feb 2004 12:41:14 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        fbsdq <fbsdq@kuyarov.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: 3,000+ DNS /./ANY/ANY requests - ...resent...
Message-ID:  <20040215124114.GA9482@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <200402150403.i1F43E9s003486@saexchange.toneisp.com>
References:  <200402150403.i1F43E9s003486@saexchange.toneisp.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 14, 2004 at 09:03:14PM -0700, fbsdq wrote:
> Sorry about the earlier question, that was more or less just blank....=20
>=20
> Hello,
>  About a week ago I started noticing 3,000 or more requests coming from =
=20
> several ips for the following DNS queries:
>     XX+/128.255.203.200/./ANY/ANY
>     XX+/193.201.105.4/./ANY/ANY=20
>=20
>  Those are just two examples, but each IP - I have about 20 of them now=
=20
> create 3,000 or more queries within several minutes.  All the queries are=
=20
> exactly the same for ./ANY/ANY.....any idea what those queries are? or wh=
at=20
> they are trying to do?

Curious.  Are those IPs taken literally from your log files?  One of
them belongs to the University of Iowa and the other to belongs to
Millenium Communications S.A. in Poland.  Seems that some arbitrary
collection of machines are trying to do arbitrary lookups on your DNS
servers.

Have you configured your nameservers so that they will refuse to do
recursive queries for strangers?  There's various cache poisoning
tricks that can be done if your DNS server is both recursive and
authoritative for your own domains.  There's some good pages about how to
secure various versions of BIND at

    http://www.boran.com/security/sp/bind_hardening8.html
    http://www.boran.com/security/sp/bind9_20010430.html

Those are aimed mainly as Solaris users, so there's whole sections
about how to compile which you can just skip over. The 'take home'
point is how to use the 'allow-query', 'allow-transfer' and
'allow-recursion' configuration directives correctly.

>  Also how can I create an 'ipfw' rule to block an ip if XX amount of=20
> connections come in within XX amount of minutes/seconds??  Right now I=20
> manually block them, and yes those IP's try a day or so later to DNS bomb=
=20
> (?) my machine.=20

I think my approach to this would be to write a script that trawls
through /var/log/security or your DNS server logs picking out the
malefactors and then writes and inserts appropriate IPFW rules --
probably on an hourly basis.  Clever use of ipfw's 'set N' syntax will
make administering mixing in these machine generated rules together
with your other rules much easier.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD4DBQFAL2jqdtESqEQa7a0RAiqhAJ96F+9uzrEFOwdxj9To0oDvwQFU4wCWIJIJ
vkY+NbXp/n0mIKj3K8XdHA==
=fugD
-----END PGP SIGNATURE-----

--jRHKVT23PllUwdXP--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040215124114.GA9482>