Re: Spoofed my Bind 9.7.3 on Debian?

To: debian-security@lists.debian.org
Subject: Re: Spoofed my Bind 9.7.3 on Debian?
From: Bjørn Mork <bjorn@mork.no>
Date: Thu, 19 May 2011 18:59:05 +0200
Message-id: <[🔎] 878vu24ofa.fsf@nemi.mork.no>
References: <[🔎] EAC95978CD0446F8AF8571D43DA0C7DD@Marcelopc> <[🔎] 87vcx9bbt9.fsf@algae.riseup.net> <[🔎] B41BDED4114E044089F69B5B7FA2B8090105B883@corpatsmail4.corp.sensis.com> <[🔎] ECEFB42F27B24A88AA3E5A06B4F11FBD@Marcelopc> <[🔎] B41BDED4114E044089F69B5B7FA2B8090105B88C@corpatsmail4.corp.sensis.com> <[🔎] 6AEF6CD388874A0B81F9E8047543B624@Marcelopc> <[🔎] 8FF594C4F323488394AD778692F74EB9@Marcelopc>

"OLCESE, Marcelo Oscar." <molcese@ancal.com.ar> writes:

> Since 08 May to date I have many daily log of my  BIND 9.7.3
> This one run on Debian 6.
>
> Any ideas?

It's a DDoS attack against the addresses you see as clients in the log.
The source addresses are spoofed, and the idea is to make your name
server return a larger reply to these addresses amplifying the attack.
This won't work with modern bind versions.

The attack might still be effective if it tricks you into blocking these
source addresses, which most likely belong to some authoritative DNS
servers somewhere. If you block them, then you're effectively
blackholing any domains hosted there as seen from your resolvers.

The best you can do is just ignoring these log entries.

Such attacks were popular a couple of years ago.  Didn't know they were
still around. See e.g. http://markmail.org/message/ydiqnztzmz5qmusf

Bjørn

Reply to:

Follow-Ups:
- Re: Spoofed my Bind 9.7.3 on Debian?
  - From: "OLCESE, Marcelo Oscar." <molcese@ancal.com.ar>

References:
- Errors when running cron(Debian 6)
  - From: "OLCESE, Marcelo Oscar." <molcese@ancal.com.ar>
- Re: Errors when running cron(Debian 6)
  - From: micah anderson <micah@riseup.net>
- RE: Errors when running cron(Debian 6)
  - From: "Desai, Jason" <jase@sensis.com>
- Re: Errors when running cron(Debian 6)
  - From: "OLCESE, Marcelo Oscar." <molcese@ancal.com.ar>
- RE: Errors when running cron(Debian 6)
  - From: "Desai, Jason" <jase@sensis.com>
- Re: Errors when running cron(Debian 6)
  - From: "OLCESE, Marcelo Oscar." <molcese@ancal.com.ar>
- Spoofed my Bind 9.7.3 on Debian?
  - From: "OLCESE, Marcelo Oscar." <molcese@ancal.com.ar>

Prev by Date: Spoofed my Bind 9.7.3 on Debian?
Next by Date: Re: Spoofed my Bind 9.7.3 on Debian?
Previous by thread: Spoofed my Bind 9.7.3 on Debian?
Next by thread: Re: Spoofed my Bind 9.7.3 on Debian?
Index(es):
- Date
- Thread