[111064] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Steve Pirk)
Tue Jan 27 20:49:19 2009
Date: Tue, 27 Jan 2009 17:49:05 -0800 (PST)
From: Steve Pirk <orion@pirk.com>
To: jay@miscreant.org
In-Reply-To: <20090128122246.sziowznu8sswog48@web1.nswh.com.au>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Wed, 28 Jan 2009, jay@miscreant.org wrote:
> Quoting John Martinez <jmartinez@zero11.com>:
>
>> Are we still seeing DNS DDoS attack?
>
> Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
>
> Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
>
I run a small personal nameserver and even I am seeing requests for that
address 64.57.246.146 at ~1/sec.
How many people have upgraded to the latest version of Bind 9? Reason
I ask is that when I do my nightly port scan of my server, I no longer see
named listening to udp on a random high order port (for replies I believe?).
Almost the next day, I started hearing about/seeing these DNS attacks.
Previous nmap scan showed:
53/tcp open domain
53/udp open|filtered domain
33591/udp open|filtered unknown
Now nmap shows:
53/tcp open domain
53/udp open|filtered domain
The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
The port was bound at startup time and did not change as long as named was
still running.
--
Steve
Equal bytes for women.
