[AusNOG] Botnet??

Heinz N ausnog at equisoft.com.au
Sun Jul 29 11:22:27 EST 2012 

> Just a heads up we noticed a sharp increase in our DNS requests tonight. I found a lot
> of requests for the domains spl.com and dgtl.ws. like a 1000?s a sec from a few ips. I
> blocked them then more ips took over from them.

Don't forget that this is UDP so you have no idea who is actually sending 
the packets. You are probably just seeing spoofed source addresses. They 
can just keep changing the spoofed IPs, forcing you to do lots of typing.

I keep noticing occassional sneaky singular DNS requests for domains that 
I am not authorative for. I suspect that if my external namserver answered 
these, even with NX Domain, I would see a flood of requests. Once you get 
on their list, it is almost impossible to get off except by moving IP 
addresses.

I was caught up in a reflected amplified DNS attack a while ago. I found 
that answering ANY DNS requests to anyone is dangerous as it invites 
trouble. You should only answer external requests for domains that you are 
authorative for.

I did these things which IMHO seemed to help and may be of interest to 
others:

(1) Block all ingress UDP DNS (port 53) packets under 65 bytes at your
     border as this is a recursive request for root domains ("NS ."). Stupid
     facebook servers frequently ask for this, presumably to check that one
     is not answering recursive requests. <rant> Who died and made _them_
     police of the internet? </rant>

(2) Use 2 name servers. One for your internal clients/trusted IPs and
     another for external IPs to query domains who you are authorative for.
     Allow recursive for internal but turn it off for external. Allow any
     external secondary DNS server UDP and TCP port 53 access for zone
     transfers.

(3) Optional: Rate limit UDP port 53 ingress (per IP) to a suitable rate to
     reduce them using your own authority records in a reflected attack.

(4) Optional: Whitelist at the router UDP port 53 ingress requests to only
     those domains you are authorative for (by string comparison). This can
     be a big pain if you have lots of domains.

(5) I also added a "fake" DNS server where countries that I hate get NAT'd
     to. It always answers everything with 127.0.0.1 ..... funny how the
     spam frequency went down when I did that :-)

See http://www.isc.org/software/bind/ for security advisories.

Regards,
Heinz N

More information about the AusNOG mailing list