Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm seeing a flood of DNS queries to a caching server. I ran it public for a while and maybe someone found it. Turned it back off, but the queries continue (and never get an answer). What is strange is that the queries come FROM port 80 (and to port 53, of course). They all are "ANY? isc.org".
I suspect they are forged packets intended to drive response or reject packets back to the DoS target. But there are 3 such IPs. The rate is not very high, but that's probably the distributed aspect. If you run a public DNS cache, maybe you might want to check and see if this is incoming.
Any thoughts on this?
Code:
02:57:26.158686 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 23785+ [1au] ANY? isc.org. (36)
02:57:26.429394 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 30066+ [1au] ANY? isc.org. (36)
02:57:26.434270 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 62860+ [1au] ANY? isc.org. (36)
02:57:26.752222 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 34360+ [1au] ANY? isc.org. (36)
02:57:26.783063 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 21194+ [1au] ANY? isc.org. (36)
02:57:26.783351 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 43304+ [1au] ANY? isc.org. (36)
02:57:27.174876 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 19978+ [1au] ANY? isc.org. (36)
02:57:27.177118 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 46891+ [1au] ANY? isc.org. (36)
02:57:27.626391 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 33863+ [1au] ANY? isc.org. (36)
02:57:27.907703 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 33817+ [1au] ANY? isc.org. (36)
02:57:27.980037 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 54329+ [1au] ANY? isc.org. (36)
02:57:28.077596 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 39359+ [1au] ANY? isc.org. (36)
02:57:28.171602 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 13395+ [1au] ANY? isc.org. (36)
02:57:28.459466 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 21449+ [1au] ANY? isc.org. (36)
02:57:28.601944 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 52675+ [1au] ANY? isc.org. (36)
02:57:28.669772 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 14800+ [1au] ANY? isc.org. (36)
I think you analysis is correct. I suspect that it is a form of DOS attack, but not directed at you. Rather, it is an attempt to use your previously open DNS in an attack against someone else using a technique called DNS Amplification. As you noted, the query rate is low and only consists of 36 bytes. However, the return can contain several K and is likely sent to a spoofed IP address. A few hundred queries, spread across several DNS systems can result in hundreds of megabits per second being reflected back to the target system. The fact that they are originating on port 80 makes me think that it may be originating as some form of web script writing raw UDP traffic. The site http://foxpa.ws/ has quite a few good write ups regarding this form of DNS attack.
Last edited by Noway2; 03-24-2012 at 07:11 AM.
Reason: wrong word from spellcheck (amplification)
check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.
check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.
I've been having similar (random source ports instead of 80) attacks off and on for about a year now. My solution was to turn on query logging (rndc querylog) and write a filter for fail2ban. I still see the attacks coming in but they quickly get blocked and they aren't taking up enough incoming bandwidth to matter.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.