topic Re: DNS attack with empty queries in Networking

DNS attack with empty queries

Robert A. Pierce — Fri, 30 Jul 2010 12:35:30 GMT

One of our external DNS servers is getting slammed with hundreds of requests per minute from some IP addresses, and I'm not sure what we can do about it.

Most remote hosts will lookup A or MX records, maybe a dozen times a day.

Standard requests look like this in our DNS log:

20100730 08:39:03 490 PACKET UDP Rcv 123.456.101.134 9f99 Q [0001 D NOERROR] (7)example(3)com(0)
20100730 08:39:03 490 PACKET UDP Snd 123.456.101.134 9f99 R Q [0085 A D NOERROR] (7)example(3)com(0)

20100730 08:39:06 490 PACKET UDP Rcv 213.321.234.175 be3c Q [1000 NOERROR] (7)example(3)com(0)
20100730 08:39:06 490 PACKET UDP Snd 213.321.234.175 be3c R Q [0084 A NOERROR] (7)example(3)com(0)

Bad requests look like this:

20100730 08:42:11 490 PACKET UDP Rcv 98.76.543.164 0da6 Q [0001 D NOERROR] (0)
20100730 08:42:11 490 PACKET UDP Snd 98.76.543.164 0da6 R Q [0281 D SERVFAIL] (0)

20100730 08:42:11 1C38 PACKET UDP Rcv 98.76.543.235 1e0f Q [0001 D NOERROR] (0)
20100730 08:42:11 1C38 PACKET UDP Snd 98.76.543.235 1e0f R Q [0281 D SERVFAIL] (0)

The attack doesn't _seem_ to do much more than eat up bandwidth, but I was hoping someone could shed some light on this subject.

Currently we limit the number of requests per IP per minute, and we block abusive IPs. After blocking, the attack shifts to another set of IP addresses.

My questions:

Is there a way to filter out only the empty requests? We don't want to over-block.

What is the purpose of this attack? Denial of service, or is this used as some sort of control channel for a rootkit or spyware?

Thanks,

Rob Pierce

Re: DNS attack with empty queries

Venu Madhava — Tue, 03 Aug 2010 05:15:22 GMT

Hi Rob,

Are these requests are from the IP addresses you are managing? If not,i think its better to use DNS sniffer for verification.

BR,
Venu.

Re: DNS attack with empty queries

Robert A. Pierce — Mon, 09 Aug 2010 11:07:48 GMT

Hi Venu,

No, the DNS queries are coming from external IPs.

Which DNS sniffer would you suggest?

Thanks,

Rob

Re: DNS attack with empty queries

Robert A. Pierce — Mon, 09 Aug 2010 11:55:42 GMT

I've installed Microsoft Network Monitor 3.4 on this server and I'm looking at the dns traffic.

The occasional standard queries look like this in Netmon:

Query for _domainkey.example.com of type TXT on class Internet

or

Query for example.com of type MX on class Internet

The abusive behaviour looks like this:

Query for of type NS on class Internet

I can get the same message with nslookup, and querying for . (dot).

I don't know why someone would want to query my DNS server for . hundreds of times per minute. What could they get from that other than annoyance?

Also, is there a way to block just that type of query?

Thanks,

Rob