A new potential DNS DOS attack seems to of risen it’s ugly head, I’m getting a LOT of messages similar to this:
Jan 22 16:15:20 comp named[20359]: client 76.9.16.171#57861: query (cache) './NS/IN' denied
Jan 22 16:16:22 comp named[20359]: client 76.9.16.171#64042: query (cache) './NS/IN' denied
Jan 22 16:17:25 comp named[20359]: client 76.9.16.171#16125: query (cache) './NS/IN' denied
Jan 22 16:18:27 comp named[20359]: client 76.9.16.171#45352: query (cache) './NS/IN' denied
Jan 22 16:19:29 comp named[20359]: client 76.9.16.171#62136: query (cache) './NS/IN' denied
Jan 22 16:20:31 comp named[20359]: client 76.9.16.171#34017: query (cache) './NS/IN' denied
Jan 22 16:21:34 comp named[20359]: client 76.9.16.171#25822: query (cache) './NS/IN' denied
Jan 22 16:22:36 comp named[20359]: client 76.9.16.171#41648: query (cache) ‘./NS/IN’ denied
always from the same addresses, currently that list includes:
76.9.16.171 76.9.31.42 66.230.160.1 66.230.128.15 69.50.142.11
It appears that these addresses (belonging to ISPrime) are being spoofed by the attacker. By requesting the root nameserver (only on servers that allow recursion from the outside world) a large response packet can be generated and thus send back to the victim.
None of the packets originate from port 53 so its easy to tell whats being spoofed, a simple ACL in Bind and/or IPTables rule will put an end to the log flooding.
Update: Here are some other resources on it
http://markmail.org/message/ydiqnztzmz5qmusf
⊗ January 22, 2009, 3:42pm
