[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Spoofed my Bind 9.7.3 on Debian?

Excellent Bjorn!, now sleep a little easier


----- Original Message ----- From: "Bjørn Mork" <bjorn@mork.no>
To: <debian-security@lists.debian.org>
Sent: Thursday, May 19, 2011 1:59 PM
Subject: Re: Spoofed my Bind 9.7.3 on Debian?

"OLCESE, Marcelo Oscar." <molcese@ancal.com.ar> writes:

Since 08 May to date I have many daily log of my  BIND 9.7.3
This one run on Debian 6.

Any ideas?

It's a DDoS attack against the addresses you see as clients in the log.
The source addresses are spoofed, and the idea is to make your name
server return a larger reply to these addresses amplifying the attack.
This won't work with modern bind versions.

The attack might still be effective if it tricks you into blocking these
source addresses, which most likely belong to some authoritative DNS
servers somewhere. If you block them, then you're effectively
blackholing any domains hosted there as seen from your resolvers.

The best you can do is just ignoring these log entries.

Such attacks were popular a couple of years ago.  Didn't know they were
still around. See e.g. http://markmail.org/message/ydiqnztzmz5qmusf


To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: [🔎] 878vu24ofa.fsf@nemi.mork.no">http://lists.debian.org/[🔎] 878vu24ofa.fsf@nemi.mork.no

Reply to: