North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dns hits / 212.5.128/19 going wild

  • From: Kevin Houle
  • Date: Wed Apr 26 12:46:34 2000

Hash: SHA1

JP Donnio wrote:
> I am seeing a somewhat similar problem with my name server. It is configured
> not to recurse queries except for our network. Since I enabled this feature,
> I noticed we receive numerous requests from unauthorized hosts. It seems all
> the unauthorized queries are MX requests for AOL.COM. Here's a sample
> rejection log:
> 25-Apr-2000 12:21:48.647 security: unapproved recursive query from
> [].2091 for
> Now I do not understand why we are getting those hits. Our nameserver
> ( is not an secondary and has never been.
> Does anyone have a clue?

We have had several reports of similar activity this year, and a
recent increase in reports. The leading theory is that this is a
signature of a denial of service attack. The general idea is that
a DNS query is sent via UDP to an intermediate nameserver using a 
spoofed source address. The nameserver's reply is directed to the 
spoofed address, which in the DoS attack, is the victim.

The size of the response can be greater than the size of the 
request, which causes packet amplification. The degree of 
amplification depends on the size of the query, the recursive
nature of the nameserver, and the size of the answer. Where
recursion is turned off, there is still a 'rejected' message 
sent, and the reject is typically logged. We've seen this 
technique used in a distributed fashion, with multiple nameservers 
receiving queries from similar forged source addresses.

The DoS method described here is a known issue. AusCERT published 
an advisory in August 1999 that may be of interest.


- --
Kevin Houle
CERT Coordination Center

Version: PGP for Personal Privacy 5.0
Charset: noconv