Possible DDoS? - comp.protocols.dns.bind

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

comp.protocols.dns.bind

Discussions

+ new post

About this group

Subscribe to this group

This is a Usenet group - learn more

Possible DDoS?

Options

9 messages - Collapse all

Manson, John

View profile

More options Oct 17 2012, 2:19 pm

Newsgroups: comp.protocols.dns.bind

From: "Manson, John" <John.Man...@mail.house.gov>

Date: Wed, 17 Oct 2012 14:17:42 -0400

Local: Wed, Oct 17 2012 2:17 pm

Subject: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

>From time to time I notice a large number of queries like these to one of my external dns servers:

14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.01529 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.03688 121.10.105.66 -> 143.231.1.67 DNS C house.gov. Internet * ?
14:14:40.06047 121.10.105.66 -> 143.231.1.67 DNS C house.gov. Internet * ?
14:14:40.08370 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.11990 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.17595 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.17732 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.17782 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.19381 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.20723 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.21655 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.21857 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.22005 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.23128 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.23353 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.24827 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.25276 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.26750 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.26775 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.26787 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.26837 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.26937 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.27911 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.28023 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.30558 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.30562 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.33555 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.35478 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.36840 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.37102 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.37526 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.44820 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.48304 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.49140 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.49765 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.50189 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.53498 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.53885 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.56207 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.57419 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.59804 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.64661 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.65460 121.10.105.66 -> 143.231.1.67 DNS C houselive.gov. Internet * ?
14:14:40.66985 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.67022 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.69244 121.10.105.66 -> 143.231.1.67 DNS C houselive.gov. Internet * ?
14:14:40.70905 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.72203 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.72702 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.74125 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.74662 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.76813 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.77012 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.77150 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.77250 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.77624 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.78025 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.79958 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.80271 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.81845 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.82319 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.82321 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.82968 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.84142 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.84331 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.85053 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.85078 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.85254 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.85828 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.85840 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.86314 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.86377 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.89349 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.90898 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.91273 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.91961 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.92223 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.95507 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.98355 121.10.105.66 -> 143.231.1.67 DNS C houselive.gov. Internet * ?
14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?

Does this rise to the level of a DDoS attack?
No NS record for this IP.
I blackhole IPs that behave like this.
Thanks

John Manson
CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, DC 20515
Desk: 202-226-4244 | TCC: 202-226-6430 | john.man...@mail.house.gov

Chuck Swiger

View profile

More options Oct 17 2012, 2:31 pm

Newsgroups: comp.protocols.dns.bind

From: Chuck Swiger <cswi...@mac.com>

Date: Wed, 17 Oct 2012 11:31:22 -0700

Local: Wed, Oct 17 2012 2:31 pm

Subject: Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

Hi--

On Oct 17, 2012, at 11:17 AM, Manson, John wrote:

> From time to time I notice a large number of queries like these to one of my external dns servers:

> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> [ ... ]
> 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ?
> 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ?

> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.

That sure looks to be a DNS-based DDoS. Note that IP 121.10.105.66 is actually
the victim being attacked-- the attackers forge that address and make queries which
send lots of traffic to it.

Blackholing them on your side will mitigate against the DDoS, but also break any
legitimate traffic which they might send. (They can always use public DNS servers
like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit
requests from them too much.)

Regards,
--
-Chuck

Manson, John

View profile

More options Oct 17 2012, 2:35 pm

Newsgroups: comp.protocols.dns.bind

From: "Manson, John" <John.Man...@mail.house.gov>

Date: Wed, 17 Oct 2012 14:34:29 -0400

Local: Wed, Oct 17 2012 2:34 pm

Subject: RE: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

Thanks
So that is why there are usually no NS records?

- Show quoted text -

Dennis Clarke

View profile

More options Oct 17 2012, 2:39 pm

Newsgroups: comp.protocols.dns.bind

From: Dennis Clarke <dcla...@blastwave.org>

Date: Wed, 17 Oct 2012 14:39:32 -0400

Local: Wed, Oct 17 2012 2:39 pm

Subject: Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

> From time to time I notice a large number of queries like these to one
> of my external dns servers:

> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet *
> ?
<snip>

> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.
> Thanks

I have the exact same problem with an ip inside State of Colorado General Government Computer subnet :

http://whois.arin.net/rest/org/SCGGC

Some server there has been pounding queries at me at a rate of 48,000+ a day :

# head -1 named.run
08-Oct-2012 17:40:49.733 now using logging configuration from config file
#
# grep "^08-Oct-2012" named.run | grep -c "165\.127\.10\.50"
12245
# grep "^09-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48200
# grep "^10-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48198
# grep "^11-Oct-2012" named.run | grep -c "165\.127\.10\.50"
47737
# grep "^12-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48345
# grep "^13-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48810
# grep "^14-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48385
# grep "^15-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48429
# grep "^16-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48768

Thus far today :

# grep "^17-Oct-2012" named.run | grep -c "165\.127\.10\.50"
37279

Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst.

Makes no sense to me what is going on there.

Dennis

Phil Mayers

View profile

More options Oct 17 2012, 6:59 pm

Newsgroups: comp.protocols.dns.bind

From: Phil Mayers <p.may...@imperial.ac.uk>

Date: Wed, 17 Oct 2012 23:59:11 +0100

Local: Wed, Oct 17 2012 6:59 pm

Subject: Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

On 10/17/2012 07:39 PM, Dennis Clarke wrote:

> I have the exact same problem with an ip inside State of Colorado
> General Government Computer subnet :

> http://whois.arin.net/rest/org/SCGGC

That's not exactly a fly-by-night organisation; have you contacted them?

> Some server there has been pounding queries at me at a rate of
> 48,000+ a day :

Some packets are arriving with that source IP. Big difference.

It's possible (likely?) the sources are spoofed, and someone is inducing
*you* to bombard that IP with replies (or trying to).

> Queries show up in bunches, while the average is every 1.7 secs I see
> dozens of queries all arrive nearly at the same time, then a ten
> second pause, then again another burst.

> Makes no sense to me what is going on there.

Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed
source. DNS server sends 1 million DNS replies of 1000 bytes each to the
spoofed IP. 10x amplification, means the attacker can use lower-spec
machines to overload a target.

Or something is just broken, and the source IPs are real - in which
case, contact them.

Discussion subject changed to "答复： Re: Possible DDoS?" by Tony Xue

Tony Xue

View profile

More options Oct 17 2012, 7:13 pm

Newsgroups: comp.protocols.dns.bind

From: "Tony Xue" <xuez...@gmail.com>

Date: Wed, 17 Oct 2012 23:12:43 +0000

Local: Wed, Oct 17 2012 7:12 pm

Subject: 答复： Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

I used to get the same problem but that was everytime from three or four different source IP and they are all querying "ripe.net IN ANY" for around 10 queries per second.

I am pretty sure the sources were hacked because one of my another DNS server also become the source to attack and from the packet can see there're exactly the same type of attack.

- Show quoted text -

Phil Mayers

View profile

More options Oct 17 2012, 7:22 pm

Newsgroups: comp.protocols.dns.bind

From: Phil Mayers <p.may...@imperial.ac.uk>

Date: Thu, 18 Oct 2012 00:22:24 +0100

Local: Wed, Oct 17 2012 7:22 pm

Subject: Re: 答复： Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

On 10/18/2012 12:12 AM, Tony Xue wrote:

> I am pretty sure the sources were hacked because one of my another

What makes you think the source IPs were real?

Discussion subject changed to "答复： Re: 答复： Re: Possible DDoS?" by Tony Xue

Tony Xue

View profile

More options Oct 17 2012, 7:31 pm

Newsgroups: comp.protocols.dns.bind

From: "Tony Xue" <xuez...@gmail.com>

Date: Wed, 17 Oct 2012 23:31:41 +0000

Local: Wed, Oct 17 2012 7:31 pm

Subject: 答复： Re: 答复： Re: Possible DDoS?

Print | Individual message | Show original | Report this message | Find messages by this author

Because my server also used to be hacked and send this kind of junk queries and my server was null-routed by the datacenter. The high bandwidth was happened exactly on my server.

- Show quoted text -