HOW GEEK!

geek notes for advice seekers

New DDoS attacks exploit recursive DNS Servers

Looks like some people are exploiting recursive DNS servers to conduct DDoS attacks.

How? Simple: Some spoofed DNS requests appear to be sent from a victim host, they usually request for “.” (the root zone as it has a long answer) or a specific domain, if the DNS server is badly configured it will send back the full answer to the victim server. Here is what i got in my server logs:

Jan 22 19:24:22 *************** named[27457]: client 66.230.128.15#17247: query (cache) ‘./NS/IN’ denied
Jan 22 19:24:24 *************** named[27457]: client 66.230.160.1#31622: query (cache) ‘./NS/IN’ denied
Jan 22 19:24:24 *************** named[27457]: client 66.230.128.15#60407: query (cache) ‘./NS/IN’ denied
Jan 22 19:24:24 *************** named[27457]: client 66.230.160.1#57967: query (cache) ‘./NS/IN’ denied
Jan 22 19:24:26 *************** named[27457]: client 66.230.160.1#40365: query (cache) ‘./NS/IN’ denied
Jan 22 19:24:26 *************** named[27457]: client 66.230.160.1#13640: query (cache) ‘./NS/IN’ denied

The victim in this case were the isprime.com NS servers.

Today all the networksolutions DNS servers are very slow, it is possible that they are now the targets of those attacks..

http://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/

http://isc.sans.org/diary.html?storyid=5713

UPDATE:

If you also want to get rid of this annoying stuff in your logs, do:

iptables -A INPUT -j DROP -p udp –dport domain -m u32 –u32 “0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001”

This will block those specific NS requests. If you get an error doing this, it’s because you don’t have xt_u32 enabled or compiled into your kernel. Try:

modprobe xt_u32

If you’re getting an error, try to compile a recent 2.6 kernel version, and be sure to enable the “u32” match support, in menuconfig it is in:

networking support -> networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration

Leave a Reply

Your email address will not be published.