DNS DoS or just stupidity?

[faris]

I'm seeing zillions of these in the logs. Several each second, in fact.

named[8774]: client 128.204.195.71#80: query (cache) 'isc.org/ANY/IN' denied

I've firewalled the IP.

Any ideas?

[scott]

Yeah it could be a cache poisoning attempt, or just someone trying to use your DNS server for general use.

[faris]

Thanks Scott.

I've never seen so many queries at such a high rate from a single IP before.

[faris]

A google search shows that this is a DNS Amplification attack.

Oddly, the IP changed overnight. But still just one IP. And still attacking only selected IPs on our network.

It is baffling why whoever is behind it would want to target us.

I've closed port 53 on these systems. They all run bind and would respond to domains hosted on them but won't do recursive lookups and none are actually used as DNS servers. Port 53 was open out of habit really.

I spoke to the sysadmin responsible for the network from which today's attack is coming from. He says there was a multi-Gbit attack directed TO that IP this morning for a couple of hours.

All very odd.

Annoyingly, the edge firewall hosted by our co-lo people can't seem to block this traffic. I've put a solid block in for the IP in question and it just doesn't work. Is the IP being spoofed somehow, I wonder, even though I can block it using iptables on the target machines?

[faris]

oooh! It is a reflected DNS DDoS attack:

http://www.linuxquestions.org/questions ... ck-935994/

Here's the worrying thing: If the edge firewall (hosted by co-lo) isn't seeing the traffic and can't block, but firewalls on my machines can see it and can block it, it then does that mean it is originating within our network? Or is it just one of those things to do with routing? The co-lo's firewall covers a number of vlans, not all ours. Could it come from a different vlan?

I'm seeing nothing bad when using tcpdump on port 80 and 53 grepping for isc.org -- I just see the output I've already pasted. So it doesn't seem to be originating from us. I don't think. Errr....

Faris.

[faris]

D'oh. It was obvious really.

The reason I can block it on my machines and not on the edge firewall is because when I add the IP to my firewall it gets added to the OUTPUT as well as the INPUT chains. And since the traffic is not FROM the IP in question but does cause a response to be sent TO it, it gets stopped via the OUTPUT chain.

In the edge firewall, I could have duplicated this by adding the IP to the equivalent to the OUTPUT chain - but I don't normally bother as I'm only interested in stopping incoking traffic.

But now I know better and will add future stuff like this to both

Faris.