[BlueOnyx:12659] Re: DNS Spamming
George F. Nemeyer
tigerwolf at tigerden.com
Fri Mar 29 18:26:33 -05 2013
On Fri, 29 Mar 2013, Colin Jack wrote:
> Can I tighten it up? We have 50+ DNS connections from the same IP at the
> same time. I would like to limit this to say 2 ;0)
Last year, a newly installed BX box was hit within a day of powering it up
for configuration and site setups. It was, unfortunately, open by
default, and I'd not gotten around to DNS beyond basics when it was found.
We noticed this pattern once a machine is tagged as open:
- Inbound DNS port traffic was a continuous 1.6Mbps to that machine.
- The requests might switch to another IP for a while, but tended to
favor only 2 or 3 most of the time.
- It was only a total handfull (<15) of different (forged) IP's making
the requests.
Of course, the first thing was to close the DNS hole, so if the attackers
were probing, we looked closed, so they didn't add any new ones.
We then just dropped all the offending /24 blocks with iptables. Inbound
requests remaind at 1.6 Mbps, but nothing was reaching the DNS server, so
outbound traffic was 0. After about a month of packet dropping, the
inbound hits stopped.
We did see *occasional* short bursts of attempts at the same IPs sent to
our known locked-down servers, but those died off within a minute or two.
=^_^= Tigerwolf
More information about the Blueonyx
mailing list