loads of Query denied... is it an attack or a misconfiguration ?

loads of Query denied... is it an attack or a misconfiguration ?

Post by Thomas Man » Thu, 12 Feb 2009 08:27:48


-===============8670358516642200043==
Content-Type: multipart/alternative; boundary=0016e64ca97ed3db25046298d5dd

--0016e64ca97ed3db25046298d5dd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hi,

I can see in my secondary DNS server a lot of logs with query(cache) denied
from the same ip.
I've traceroute one of them which seems to be a russian computer.


* *
17 ns1.orlan-net.ru (195.68.176.4) 136.563 ms * *


Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#59934: query (cache)
'./NS/IN'
denied

Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#23591: query (cache)
'./NS/IN'
denied

Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#54430: query (cache)
'./NS/IN'
denied

Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#46875: query (cache)
'./NS/IN'
denied

Feb 11 00:21:55 ns1 named[13392]: client 195.68.176.4#43603: query (cache)
'./NS/IN'
denied

Feb 11 00:21:56 ns1 named[13392]: client 195.68.176.4#27124: query (cache)
'./NS/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#14844: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#11936: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#5777: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#64647: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#41115: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#6712: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#38402: query (cache)
'./NS/IN'
denied

Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#59205: query (cache)
'./NS/IN'
denied

Feb 11 00:22:01 ns1 named[13392]: client 195.68.176.4#36863: query (cache)
'./NS/IN'
denied

Feb 11 00:22:02 ns1 named[13392]: client 195.68.176.4#51511: query (cache)
'./NS/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#50013: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#43818: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#10674: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#61345: query (cache)
'./NS/IN'
denied

Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#5707: query (cache)
'./NS/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53811: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53504: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#24805: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:07 ns1 named[13392]: client 195.68.176.4#50225: query (cache)
'./NS/IN'
denied

Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#27039: query (cache)
'./NS/IN'
denied

Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#47331: query (cache)
'./NS/IN'
denied

Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53740: query (cache)
'./NS/IN'
denied

Feb 11 00:22:12 ns1 named[13392]: cli
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Mark Andre » Thu, 12 Feb 2009 08:51:53


Please go read the list achives.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users

 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Thomas Man » Thu, 12 Feb 2009 08:52:54

--===============7976727401192733856==
Content-Type: multipart/alternative; boundary=001636458104995f4d0462992f74

--001636458104995f4d0462992f74
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

????




--001636458104995f4d0462992f74
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

????<br><br><div class=3D"gmail_quote">On Wed, Feb 11, 2009 at 00:51, Mark =
Andrews <span dir=3D"ltr"><<a href=3D"mailto: XXXX@XXXXX.COM ">Mark_=

style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8=
ex; padding-left: 1ex;">
<br>
       Please go read the list achives.<br>
<br>
       Mark<br>
<font color=3D"#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742               &nb=
sp; INTERNET: <a href=3D"mailto: XXXX@XXXXX.COM "> XXXX@XXXXX.COM <=
/a><br>
</font></blockquote></div><br>

--001636458104995f4d0462992f74--

--===============7976727401192733856==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
--===============7976727401192733856==--
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Mark Andre » Thu, 12 Feb 2009 09:21:31


In message < XXXX@XXXXX.COM >, Thoma
s Manson writes:

The subject matter has been discussed in lots of detail
over the last month. Go read the archives of the mailing
list.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Thomas Man » Thu, 12 Feb 2009 09:21:35

-===============5042483082244506941==
Content-Type: multipart/alternative; boundary=00163646c41c20dc350462999600

--00163646c41c20dc350462999600
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

That's some awesome answer... (did you get helped to elaborate it?)

equivalent : google is your friend, search the RFCs

Then... read the list archives... I guess I can spend the next ten years if
I read it from the beginning....

Could you give any clue of what to look for ?

I believed I was on bind mailing list, a mailing list is where you usually
get some help... isn't it ?

Thomas.

On Wed, Feb 11, 2009 at 00:52, Thomas Manson < XXXX@XXXXX.COM >wrote:


--00163646c41c20dc350462999600
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

That's some awesome answer... (did you get helped to elaborate it?)<br>=
<br>equivalent : google is your friend, search the RFCs<br><br>Then... read=
the list archives... I guess I can spend the next ten years if I read it f=
rom the beginning....<br>
<br>Could you give any clue of what to look for ? <br><br>I believed I was =
on bind mailing list, a mailing list is where you usually get some help... =
isn't it ?<br><br>Thomas.<br><br><div class=3D"gmail_quote">On Wed, Feb=
11, 2009 at 00:52, Thomas Manson <span dir=3D"ltr"><<a href=3D"mailto:d=
XXXX@XXXXX.COM "> XXXX@XXXXX.COM </a>></span> wrote:=
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">????<div><div></d=
iv><div class=3D"Wj3C7c"><br><br><div class=3D"gmail_quote">On Wed, Feb 11,=
2009 at 00:51, Mark Andrews <span dir=3D"ltr"><<a href=3D"mailto:Mark_A=
XXXX@XXXXX.COM " target=3D"_blank"> XXXX@XXXXX.COM </a>></span> wrote=
:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
       Please go read the list achives.<br>
<br>
       Mark<br>
<font color=3D"#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742               &nb=
sp; INTERNET: <a href=3D"mailto: XXXX@XXXXX.COM " target=3D"_blank">Mar=
XXXX@XXXXX.COM </a><br>
</font></blockquote></div><br>
</div></div></blockquote></div><br>

--00163646c41c20dc350462999600--

--===============5042483082244506941==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
--===============5042483082244506941==--
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Mark Andre » Thu, 12 Feb 2009 09:33:00

In message < XXXX@XXXXX.COM >, Thoma
s Manson writes:

Feeding the error message into Google would have given you
lots of relevent information.

query (cache) './NS/IN' denied

I didn't want to start yet another debate about what is the
"right" thing to do.

Mark

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: XXXX@XXXXX.COM
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Thomas Man » Thu, 12 Feb 2009 09:35:31

--===============5654751574154001317==
Content-Type: multipart/alternative; boundary=00163645853c03a234046299c8e8

--00163645853c03a234046299c8e8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

someone answers me,

you could just have say search "reflector DoS attack" in the archive list,
this would have narrow down a lot my research.

I'll temporray block the ip on my firewall




--00163645853c03a234046299c8e8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

someone answers me, <br><br>you could just have say search "reflector =
DoS attack" in the archive list, this would have narrow down a lot my =
research.<br><br>I'll temporray block the ip on my firewall<br><br><div=
class=3D"gmail_quote">
On Wed, Feb 11, 2009 at 01:21, Mark Andrews <span dir=3D"ltr"><<a href=

<br><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(2=
04, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
In message <<a href=3D"mailto:f43eb7e60902101552l524787b1t72fcc821437af0=
XXXX@XXXXX.COM "> XXXX@XXXXX.COM .=
com</a>>, Thoma<br>
s Manson writes:<br>
<br>
       The subject matter has been discussed in lots o=
f detail<br>
       over the last month.  Go read the archives=
of the mailing<br>
       list.<br>
<div><div></div><div class=3D"Wj3C7c"><br>
       Mark<br>
--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742               &nb=
sp; INTERNET: <a href=3D"mailto: XXXX@XXXXX.COM "> XXXX@XXXXX.COM <=
/a><br>
</div></div></blockquote></div><br>

--00163645853c03a234046299c8e8--

--===============5654751574154001317==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
--===============5654751574154001317==--
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Stephane B » Thu, 12 Feb 2009 16:58:24

On Wed, Feb 11, 2009 at 01:35:31AM +0100,
Thomas Manson < XXXX@XXXXX.COM > wrote
a message of 80 lines which said:


Very bad idea, since it is forged. You do exactly what the attacker
wanted you to do.

The proper thing to do is:

https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Stephane B » Thu, 12 Feb 2009 16:59:13

On Wed, Feb 11, 2009 at 01:21:35AM +0100,
Thomas Manson < XXXX@XXXXX.COM > wrote
a message of 88 lines which said:


You're right, it's a shame. Ask immediately for a refund, both for
your registration to the mailing list and for BIND itself.

_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Thomas Man » Thu, 12 Feb 2009 18:02:04

-===============0662819223267360816==
Content-Type: multipart/alternative; boundary=0016364179318bb2a40462a0db73

--0016364179318bb2a40462a0db73
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Well...



this is kind of response I expect : an answer of someone who know the
subject to a person who doesn't...
In this case, I could do nothing (and let the attack be done) or, doing
things wrong that amplify the attack.
Is it something everyone would want? If so, just tell me, I'll setup DoS
attack myself, if it's in the general interest !


>Please go read the list achives.

this encourage to do nothing : I've a working system (my domain name are
resolved accross the internet) why care more ?
and then let the dns system get attacked... great...



On Wed, Feb 11, 2009 at 08:59, Stephane Bortzmeyer < XXXX@XXXXX.COM >wrote:


--0016364179318bb2a40462a0db73
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div>Well... </div>
<div> </div>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>> I'll temporray block the ip on my firewall</div>
<div><br>Very bad idea, since it is forged. You do exactly what the attacke=
r<br>wanted you to do.</div>
<div>The proper thing to do is:</div>
<div><a href=3D"https://www.dns-oarc.net/oarc/articles/upward-referrals-con=
sidered-harmful">https://www.dns-oarc.net/oarc/articles/upward-referrals-co=
nsidered-harmful</a></div></blockquote>
<div> </div>
<div>this is kind of response I expect : an answer of someone who know the =
subject to a person who doesn't...</div>
<div>In this case, I could do nothing (and let the attack be done) or,=
doing things wrong that amplify the attack.</div>
<div>Is it something everyone would want? If so, just tell me, I'll set=
up DoS attack myself, if it's in the general interest ! </div>
<div> </div>
<div> </div>
<div> >Please go read the list achives.</div>
<div> </div>
<div>this encourage to do nothing : I've a working system (my domain na=
me are resolved accross the internet) why care more ?</div>
<div>and then let the dns system get attacked... great...</div><br><br><br>
<div class=3D"gmail_quote">On Wed, Feb 11, 2009 at 08:59, Stephane Bortzmey=
er <span dir=3D"ltr"><<a href=3D"mailto: XXXX@XXXXX.COM ">bortzmeyer@ni=
c.fr</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Wed, Feb 11, 2009 at 01:21:35=
AM +0100,<br>
<div class=3D"Ih2E3d"> Thomas Manson <<a href=3D"mailto:dev.mansont=
XXXX@XXXXX.COM "> XXXX@XXXXX.COM </a>> wrote<br></div>
<div class=3D"Ih2E3d"> a message of 88 lines which said:<br><br>> I=
believed I was on bind mailing list, a mailing list is where you<br>> u=
sually get some help... isn't it ?<br><br></div>You're right, it=
9;s a shame. Ask immediately for a refund, both for<br>
your re
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by David For » Thu, 12 Feb 2009 18:05:11

n intelligently designed firewall rule that drops the incoming requests
isn't doing exactly what the attacker wants. It's the opposite. The
main effect of forged lookups is a response flood. And so it is also
intended to flood the victim with overwhelming amounts of DNS
responses. It, like any solution, is a two edged blade. Allowing all
the responses to flow back to the victim floods them. Dropping the
incoming request prevents that but it also prevents them from doing
lookups on your nameserver for domains that you are authoritative for.

So if you drop all these forged queries to your authoritative
nameservers save one or two, the victim will get less traffic, and still
be able to do lookups - they'll just take a wee bit longer on average.
If your nameserver is only getting one or two of these every several
minutes, then your impact on the victim is insignificant and you need
not take any action - assuming your BIND configuration is proper.
However if you happen to be a fat target and you're getting dozens or
hundreds of these per second, then you're having a significant impact on
the victim and that particular server should do some filtering.

Firewalls are smart these days. It's entirely possible to do some deep
packet inspection and drop only the "." requests, and/or do rate
limiting. The only firewalls left that can't do this are ancient beasts
that have too many layers of dust on them.

So in addition to ensuring your BIND configuration is setup properly to
refuse upward referrals, recursion, answers from cache to strangers so
forth and so on, it is also important to judiciously apply firewall rules.

There can be more than one proper thing to do.

-d

Stephane Bortzmeyer wrote:

--
Linux: freedom to build is good
Please top-post and trim when replying to my messages. I most often read mail on a small device.

VERY NOT-IMPORTANT NOT-LEGAL NOTICES:
Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience.

Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your "legal" advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email.

"Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites." --Thomas Jefferson

This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s)
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by David Forr » Fri, 13 Feb 2009 00:10:46

n Wed, 11 Feb 2009, Matthew Huff wrote:

Matthew, the querylog shows what was queried. To see what is answered try
digging your external interface.

Here is my external view:

view "external" { // Primary nameserver for maplepark.com.
match-clients { any; };
recursion no;
additional-from-cache no;
// https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

zone "maplepark.com"{
type master;
notify yes;
allow-transfer { slave-name-servers; };
file "/var/named/drf/external/maplepark.com.external.";
};

zone "." { type hint; file "named.ca"; }; // Update this hint by: /usr/local/sbin/update-root-cache
};

And the result of the external query:

[drf@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS

; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; Query time: 0 msec
;; SERVER: 64.216.205.121#53(64.216.205.121)
;; WHEN: Wed Feb 11 08:53:04 2009
;; MSG SIZE rcvd: 28

[drf@maplepark ~]$

Note that the status is "REFUSED" and MSG SIZE is 28 bytes

And the querylog has this:
11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E

Try digging. AFAICT your conf should return REFUSED

Dave

--
David Forrest e-mail XXXX@XXXXX.COM
Maple Park Development Corporation http://www.maplepark.com
St. Louis, Missouri
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users
 
 
 

loads of Query denied... is it an attack or a misconfiguration ?

Post by Blah Blah » Fri, 13 Feb 2009 04:18:09

On Wed, 11 Feb 2009 11:33:00 +1100, Mark Andrews faxed us with....

You some kind of c*nt?


--
Replica Watches - TRY LIDL - Cheap meds? Visit your GP
_______________________________________________
bind-users mailing list
XXXX@XXXXX.COM
https://lists.isc.org/mailman/listinfo/bind-users