DDoS attempts?

D

dan

Verified User
Joined
Jan 2, 2007
Messages
99
Location
North Wales, UK
I'm finding loads of this in my BIND queries.log file:

Code: 
29-Jul-2010 22:04:58.519 client 174.142.218.220#7571: query: . IN NS +
29-Jul-2010 22:04:58.598 client 188.124.8.54#12632: query: . IN NS +
29-Jul-2010 22:04:58.761 client 204.188.249.17#37614: query: . IN NS +
29-Jul-2010 22:04:58.837 client 204.188.249.17#2533: query: . IN NS +
29-Jul-2010 22:04:58.840 client 174.142.218.220#7668: query: . IN NS +
29-Jul-2010 22:04:58.858 client 204.188.249.17#54273: query: . IN NS +
29-Jul-2010 22:04:59.000 client 174.142.218.220#32361: query: . IN NS +
29-Jul-2010 22:04:59.404 client 204.188.249.17#23013: query: . IN NS +
29-Jul-2010 22:04:59.436 client 174.142.218.220#15378: query: . IN NS +
29-Jul-2010 22:04:59.473 client 174.142.218.220#28670: query: . IN NS +
29-Jul-2010 22:04:59.480 client 204.188.249.17#42672: query: . IN NS +
29-Jul-2010 22:04:59.508 client 204.188.249.17#1855: query: . IN NS +

I see that they're queries for the root servers, but what is the purpose of all these persistent queries, often 10's per second. Is this an attack, and if so, how can I configure BIND to not respond to these queries?

Thanks,

Dan
 
If it bothers you just disable the logging of it.

Its probably just nameserver queries on domains you are hosting.
 
i can probably vouch that they're not nameservers, as more often than not they come from at most 3 different IP addresses at a time, and run the same queries several times a second for several hours at a time. i can usually get 3 rotated log files at 5mb each full of JUST these queries from said IP addresses. it's not just annoying, i'm just concerned that these attacks may either escalate into something more, or that i'm missing something in BIND that i haven't configured properly and/or there's an exploit somewhere that i need to patch up. the IP's resolve to random places all over the world, mostly dynamic addresses from china or odd places like that.
 
So you've answered the first part of your question; it's probably an attack. Can you disable BIND's ability to answer queries? Sure. Just stop BIND. Of course then it won't resolve domains.

Turn off logging as mr.applesauce suggests. Block the IP#s if they repeat.

Jeff
 
ok cool. i just wanted to make sure i wasn't missing any security issues if this sort of thing had been seen before relating to some sort of hole in BIND in one way or another.

thanks for your help.
 
You must log in or register to reply here.
Back
Top