Dns-operations mailing list

[Falk Husemann <josen AT paketsequenz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

my T2 at 46.252.139.27 was offline since yesterday 11pm til today 12am.

The T2 seems to have been used in an DNS Amplification DoS which
generated too many small UDP packets to the spoofed querying client.
This took my whole cable connection down (again!).

These are the queries (had to enable query log for one minute):
query.log:19-Aug-2012 12:46:41.502 client 199.115.114.218#25345:
query: isc.org IN ANY +ED (46.252.139.27)


Here is the iptables line to stop this attack:
iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|"
- --algo bm -j DROP

Suggestions/improvements welcome!

Greets,
Falk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQMMfzAAoJEPPG1NATKThtgtkH/3KeOrKzpplPU/aVCuzX+mn0
6NF/Jxo8NDT0ls1H/S3t5ka/pVvYl346y/FAHzD+WdwCesbAxtQiXws9LDW0VxRK
x/lBPzJuKeXUHZmTRkhtG7m7o9OZovwjH3SJvIDDNYK3xDszNsMZqHzvkYU0D4Xe
Fmdv64ZYM+MSi+kBi/g6mxFD180aiLUC6DyX4Bh4AFdJYcQK1+NWa2vxZ9ZAANje
QWvyP74eMe6/YixTpfo0CE7S2zqG+oubJRwvvh2n+duDtU3HFl/eUfpC+SOCYpmR
qKas93VsI7Go9r8pSPOTVnv5pSQUODJ44waK6Y/GX2m6b2sNgoY6ZeOXPzxiZBo=
=yB83
-----END PGP SIGNATURE-----

--- Begin Message ---

• From: support AT opennicproject.org
• To: hostmaster AT paketsequenz.de
• Cc: brian AT pongonova.net
• Subject: [opennic_t2_status] Tier 2 server failure notification
• Date: Sun, 19 Aug 2012 20:33:01 +1000 (EST)

Our records indicate you are the owner/administrator of the
following OpenNIC Tier 2 server:

Hostname: ns1.th.de.dns.opennic.glue
IP address: 46.182.18.228
E-mail address: hostmaster AT paketsequenz.de

This server is currently in failure status, having failed 8 or more
of the most recent status tests. Please check the Tier 2 status page (
http://www.opennicproject.org/t2log/t2.php?ip_addr=46.182.18.228 ) for
additional
information.

--- End Message ---

--- Begin Message ---

• From: Falk Husemann <josen AT paketsequenz.de>
• To: abuse AT leaseweb.us
• Cc: josen AT paketsequenz.de
• Subject: Massive DNS Traffic from 199.115.114.218
• Date: Sun, 19 Aug 2012 12:57:12 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Leaseweb Abuse Team,

the IP address 199.115.114.218 is flooding my public nameserver with
similar requests like the following:

19-Aug-2012 12:46:41.965 client 199.115.114.218#25345: query: isc.org
IN ANY +ED (46.252.139.27)

These requests are always the same. Following is a count and the
respective time the requests were sent.

304 12:42
606 12:43
620 12:44
599 12:45
421 12:46

These requests produced massive outgoing UDP traffic. Please check and
send confirmation email back to me, when the offending customer is
punished.

Greets,
Husemann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQMMaIAAoJEPPG1NATKThthJAIAKcWsnag+cheneQ6r3W+jGdc
rm6/ZlLF1YiPgywyubXu8m0cEutfq0W8gQtlqcql4CaNjeIOYnWyTHBqO4sdoWCv
zVekuxE6OELD8GtFadz7YcG4iw0mjxQQKq/wDiGyjo86hXamH8U3IwaYW+qWX7Zi
w9eh+TqRJgB4C9KUSoSOl60PpjBBRFvIpQwoxwDILeY786uUCvjXxdbFZzw/UPJa
enk9+CyWq3YpXUgX4GkOm0ufId74R4f5O68QCnDJtvwlH13RT+Dol2zFy4BQ8k0Z
hyciVtA7hPzdp16txFclLe/RaKdYlLKbuwvSeMIR6w2FN1JSXG66VJJgHIR3OCM=
=6emb
-----END PGP SIGNATURE-----

--- End Message ---