[111065] in North American Network Operators' Group
Re: Tightened DNS security question re: DNS amplification attacks.
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Jan 27 22:06:44 2009
To: Steve Pirk <orion@pirk.com>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Tue, 27 Jan 2009 17:49:05 -0800."
<Pine.LNX.4.64.0901271739380.27614@mail.pirk.com>
Date: Wed, 28 Jan 2009 14:06:07 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <Pine.LNX.4.64.0901271739380.27614@mail.pirk.com>, Steve Pirk writes
:
> On Wed, 28 Jan 2009, jay@miscreant.org wrote:
>
> > Quoting John Martinez <jmartinez@zero11.com>:
> >
> >> Are we still seeing DNS DDoS attack?
> >
> > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
> >
> > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
> >
>
> I run a small personal nameserver and even I am seeing requests for that
> address 64.57.246.146 at ~1/sec.
>
> How many people have upgraded to the latest version of Bind 9? Reason
> I ask is that when I do my nightly port scan of my server, I no longer see
> named listening to udp on a random high order port (for replies I believe?).
> Almost the next day, I started hearing about/seeing these DNS attacks.
Totally unrelated. Named now creates multiple listening
ports on demand.
Mark
> Previous nmap scan showed:
> 53/tcp open domain
> 53/udp open|filtered domain
> 33591/udp open|filtered unknown
>
> Now nmap shows:
> 53/tcp open domain
> 53/udp open|filtered domain
>
> The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
> The port was bound at startup time and did not change as long as named was
> still running.
> --
> Steve
> Equal bytes for women.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
