[111156] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Tracking the DNS amplification attacks (was: isprime DOS

daemon@ATHENA.MIT.EDU (Crist Clark)
Fri Jan 30 18:04:48 2009

Date: Fri, 30 Jan 2009 15:04:20 -0800
From: "Crist Clark" <Crist.Clark@globalstar.com>
To: <nanog@nanog.org>,"Brian Keefer" <chort@smtps.net>
In-Reply-To: <B56009C3-A981-41B4-9383-4E2622E36C90@smtps.net>
Errors-To: nanog-bounces@nanog.org

>>> On 1/24/2009 at 4:50 PM, Brian Keefer <chort@smtps.net> wrote:
> Caveat:  my PERL is _terrible_.
>=20
> http://www.smtps.net/pub/dns-amp-watch.pl=20
>=20
> This assumes you're using BIND.  My logs roll on the hour, so I run it =
=20
> from cron at 1 minute before the hour.  Depending on how long it takes =
=20
> to process your logs, you might need to tweak.

FWIW, I find it easier to track this using tcpdump. I don't like
running BIND with query logging. Here's a filter that catches these,

  port 53 && (udp[10:4] =3D=3D 0x01000001) && (udp[20:2] =3D=3D 0x0000)

How it works is left as an exercise for the reader.

When I sniff the link to a server authorative for several domains,

  17:29:55.792127 IP 72.249.127.168.3966 > 206.220.220.100.53: 18501+ NS? =
. (17)
  17:29:57.116367 IP 69.64.87.156.58419 > 206.220.220.100.53: 62419+ NS? . =
(17)
  17:29:57.804987 IP 72.249.127.168.33108 > 206.220.220.100.53: 4637+ NS? =
. (17)
  17:29:58.959680 IP 72.20.3.82.23084 > 206.220.220.100.53: 14310+ NS? . =
(17)
  17:29:59.818994 IP 72.249.127.168.60876 > 206.220.220.100.53: 22791+ NS? =
. (17)
  17:30:01.622728 IP 69.64.87.156.30151 > 206.220.220.100.53: 13557+ NS? . =
(17)
  17:30:01.628899 IP 72.20.3.82.49015 > 206.220.220.100.53: 14250+ NS? . =
(17)
  17:30:01.821214 IP 72.249.127.168.13831 > 206.220.220.100.53: 51065+ NS? =
. (17)
  17:30:03.342856 IP 69.64.87.156.1926 > 206.220.220.100.53: 38768+ NS? . =
(17)
  17:30:03.818706 IP 72.249.127.168.33663 > 206.220.220.100.53: 12720+ NS? =
. (17)
  17:30:05.186647 IP 72.20.3.82.7649 > 206.220.220.100.53: 52079+ NS? . =
(17)
  17:30:05.815718 IP 72.249.127.168.37241 > 206.220.220.100.53: 345+ NS? . =
(17)
  17:30:07.816144 IP 72.249.127.168.23784 > 206.220.220.100.53: 56874+ NS? =
. (17)
  17:30:07.849503 IP 69.64.87.156.33190 > 206.220.220.100.53: 20113+ NS? . =
(17)
home help back first fref pref prev next nref lref last post