LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-23-2012, 02:01 AM   #1
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Is this a DoS attack?


I'm seeing a flood of DNS queries to a caching server. I ran it public for a while and maybe someone found it. Turned it back off, but the queries continue (and never get an answer). What is strange is that the queries come FROM port 80 (and to port 53, of course). They all are "ANY? isc.org".

I suspect they are forged packets intended to drive response or reject packets back to the DoS target. But there are 3 such IPs. The rate is not very high, but that's probably the distributed aspect. If you run a public DNS cache, maybe you might want to check and see if this is incoming.

Any thoughts on this?

Code:
02:57:26.158686 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 23785+ [1au] ANY? isc.org. (36)
02:57:26.429394 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 30066+ [1au] ANY? isc.org. (36)
02:57:26.434270 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 62860+ [1au] ANY? isc.org. (36)
02:57:26.752222 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 34360+ [1au] ANY? isc.org. (36)
02:57:26.783063 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 21194+ [1au] ANY? isc.org. (36)
02:57:26.783351 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 43304+ [1au] ANY? isc.org. (36)
02:57:27.174876 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 19978+ [1au] ANY? isc.org. (36)
02:57:27.177118 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 46891+ [1au] ANY? isc.org. (36)
02:57:27.626391 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 33863+ [1au] ANY? isc.org. (36)
02:57:27.907703 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 33817+ [1au] ANY? isc.org. (36)
02:57:27.980037 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 54329+ [1au] ANY? isc.org. (36)
02:57:28.077596 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 39359+ [1au] ANY? isc.org. (36)
02:57:28.171602 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 13395+ [1au] ANY? isc.org. (36)
02:57:28.459466 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 21449+ [1au] ANY? isc.org. (36)
02:57:28.601944 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 52675+ [1au] ANY? isc.org. (36)
02:57:28.669772 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 14800+ [1au] ANY? isc.org. (36)

Last edited by Skaperen; 03-23-2012 at 02:02 AM.
 
Old 03-23-2012, 09:08 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I think you analysis is correct. I suspect that it is a form of DOS attack, but not directed at you. Rather, it is an attempt to use your previously open DNS in an attack against someone else using a technique called DNS Amplification. As you noted, the query rate is low and only consists of 36 bytes. However, the return can contain several K and is likely sent to a spoofed IP address. A few hundred queries, spread across several DNS systems can result in hundreds of megabits per second being reflected back to the target system. The fact that they are originating on port 80 makes me think that it may be originating as some form of web script writing raw UDP traffic. The site http://foxpa.ws/ has quite a few good write ups regarding this form of DNS attack.

Last edited by Noway2; 03-24-2012 at 07:11 AM. Reason: wrong word from spellcheck (amplification)
 
1 members found this post helpful.
Old 04-03-2012, 02:26 PM   #3
Steviepower
Member
 
Registered: May 2010
Location: Eindhoven
Distribution: ubuntu/debian
Posts: 152

Rep: Reputation: 25
check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.
 
Old 04-09-2012, 05:44 PM   #4
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Original Poster
Rep: Reputation: 115Reputation: 115
Quote:
Originally Posted by Steviepower View Post
check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.
Already checked for that quite a while ago.
 
Old 07-23-2012, 07:01 PM   #5
eeekster
Member
 
Registered: Sep 2011
Posts: 158

Rep: Reputation: Disabled
I've been having similar (random source ports instead of 80) attacks off and on for about a year now. My solution was to turn on query logging (rndc querylog) and write a filter for fail2ban. I still see the attacks coming in but they quickly get blocked and they aren't taking up enough incoming bandwidth to matter.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
http dos attack packets Linux - Security 2 03-07-2012 07:46 AM
DoS attack? port 22 templeton Linux - Security 1 11-11-2008 03:48 PM
is this a Dos Attack?? xtremeclones Linux - Security 8 09-27-2006 01:40 AM
detecting a DOS attack ignus Linux - Security 4 07-29-2004 02:17 PM
Are we under DOS attack? sarmadys Linux - Security 2 02-06-2002 09:41 PM


All times are GMT -5. The time now is 05:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration