Is this a DoS attack?

Skaperen · 03-23-2012, 02:01 AM

I'm seeing a flood of DNS queries to a caching server. I ran it public for a while and maybe someone found it. Turned it back off, but the queries continue (and never get an answer). What is strange is that the queries come FROM port 80 (and to port 53, of course). They all are "ANY? isc.org".

I suspect they are forged packets intended to drive response or reject packets back to the DoS target. But there are 3 such IPs. The rate is not very high, but that's probably the distributed aspect. If you run a public DNS cache, maybe you might want to check and see if this is incoming.

Any thoughts on this?

Code:

02:57:26.158686 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 23785+ [1au] ANY? isc.org. (36)
02:57:26.429394 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 30066+ [1au] ANY? isc.org. (36)
02:57:26.434270 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 62860+ [1au] ANY? isc.org. (36)
02:57:26.752222 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 34360+ [1au] ANY? isc.org. (36)
02:57:26.783063 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 21194+ [1au] ANY? isc.org. (36)
02:57:26.783351 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 43304+ [1au] ANY? isc.org. (36)
02:57:27.174876 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 19978+ [1au] ANY? isc.org. (36)
02:57:27.177118 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 46891+ [1au] ANY? isc.org. (36)
02:57:27.626391 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 33863+ [1au] ANY? isc.org. (36)
02:57:27.907703 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 33817+ [1au] ANY? isc.org. (36)
02:57:27.980037 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 54329+ [1au] ANY? isc.org. (36)
02:57:28.077596 IP 199.59.164.182.80 > WW.XX.YY.ZZ.53: 39359+ [1au] ANY? isc.org. (36)
02:57:28.171602 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 13395+ [1au] ANY? isc.org. (36)
02:57:28.459466 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 21449+ [1au] ANY? isc.org. (36)
02:57:28.601944 IP 72.251.250.98.80 > WW.XX.YY.ZZ.53: 52675+ [1au] ANY? isc.org. (36)
02:57:28.669772 IP 212.227.135.196.80 > WW.XX.YY.ZZ.53: 14800+ [1au] ANY? isc.org. (36)

Noway2 · 03-23-2012, 09:08 AM

I think you analysis is correct. I suspect that it is a form of DOS attack, but not directed at you. Rather, it is an attempt to use your previously open DNS in an attack against someone else using a technique called DNS Amplification. As you noted, the query rate is low and only consists of 36 bytes. However, the return can contain several K and is likely sent to a spoofed IP address. A few hundred queries, spread across several DNS systems can result in hundreds of megabits per second being reflected back to the target system. The fact that they are originating on port 80 makes me think that it may be originating as some form of web script writing raw UDP traffic. The site http://foxpa.ws/ has quite a few good write ups regarding this form of DNS attack.

Steviepower · 04-03-2012, 02:26 PM

check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.

Skaperen · 04-09-2012, 05:44 PM

Quote:

Originally Posted by Steviepower

check your network for malware, this can also be deliberately routed to isc.org, I do know they cooperate with the FBI in preventing some big malware issues regarding DNS.

Already checked for that quite a while ago.

eeekster · 07-23-2012, 07:01 PM

I've been having similar (random source ports instead of 80) attacks off and on for about a year now. My solution was to turn on query logging (rndc querylog) and write a filter for fail2ban. I still see the attacks coming in but they quickly get blocked and they aren't taking up enough incoming bandwidth to matter.