DDOS attack in BIND9
Base on the log below, i assume that my DNS server has been attacked using DDOS attack. It is because domain mysop.com.my and lingkup.com.my is not valid anymore. Valid domain is only gh.com.my. How do i check whether the DNS Server is compromised or not. I've install rkhunter and chkrootkit and found nothing.
Could anybody knows any threat for BIND9 in DDOS attack. 11:29:10.730443 tilapia.domain > 202.103.44.165.32801: 51272*- 0/1/1 (102) (DF) 11:29:10.731382 202.103.44.165.32801 > tilapia.domain: 45674 [1au] AAAA? ns2.lingkup.com.my. OPT UDPsiz e=4096 (52) (DF) 11:29:10.731746 tilapia.domain > 202.103.44.165.32801: 45674*- 0/1/1 (106) (DF) 11:29:11.547598 nsc00.chi.us.siteprotect.com.29092 > tilapia.domain: 44845 A? moysop.com.my. (30) (DF) 11:29:11.547987 tilapia.domain > nsc00.chi.us.siteprotect.com.29092: 44845- 0/2/2 (111) (DF) 11:29:12.756106 phil-cns01.inflow.pa.bo.comcast.net.33616 > tilapia.domain: 53654 MX? lingkup.com.my. (3 7) (DF) 11:29:12.756400 tilapia.domain > phil-cns01.inflow.pa.bo.comcast.net.33616: 53654*- 0/1/0 (91) (DF) 11:29:14.557896 216.230.196.252.11085 > tilapia.domain: 9143 A? moysop.com.my. (30) 11:29:14.558319 tilapia.domain > 216.230.196.252.11085: 9143- 0/2/2 (111) (DF) 11:29:15.407060 202.188.0.161.39903 > tilapia.domain: 30885 A? smtp.gh.com.my. (33) (DF) 11:29:15.407374 tilapia.domain > 202.188.0.161.39903: 30885 NXDomain*- 0/1/0 (100) (DF) |
Well, a DDoS attack is not usually to compromise systems, but to knock them offline. Is there a reason you think this was an attack? It looks fairly benign to me.
|
All times are GMT -5. The time now is 09:31 PM. |