Home page logo

nanog logo nanog mailing list archives

Re: Tightened DNS security question re: DNS amplification attacks.
From: Mark Andrews <Mark_Andrews () isc org>
Date: Wed, 28 Jan 2009 14:06:07 +1100

In message <Pine.LNX.4.64.0901271739380.27614 () mail pirk com>, Steve Pirk writes
On Wed, 28 Jan 2009, jay () miscreant org wrote:

Quoting John Martinez <jmartinez () zero11 com>:

Are we still seeing DNS DDoS attack?

Yep. I'm seeing ~2 queries/sec targetting

Also seeing requests from every 1 minute 2 seconds.

I run a small personal nameserver and even I am seeing requests for that 
address at ~1/sec.

How many people have upgraded to the latest version of Bind 9? Reason
I ask is that when I do my nightly port scan of my server, I no longer see 
named listening to udp on a random high order port (for replies I believe?). 
Almost the next day, I started hearing about/seeing these DNS attacks.

        Totally unrelated.  Named now creates multiple listening
        ports on demand.

Previous nmap scan showed:
53/tcp    open          domain
53/udp    open|filtered domain
33591/udp open|filtered unknown

Now nmap shows:
53/tcp    open          domain
53/udp    open|filtered domain

The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
The port was bound at startup time and did not change as long as named was 
still running.
Equal bytes for women.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]