The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, January 04, 2012

An annoying attack

It looks like today is “Attack Day.” I run a program to show the output from syslog in real time (it's part of my syslogintr project) and (like right as I type this) I'm seeing a slew of bogus DNS queries:

security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied

And not just from that IP address either—so far 87 different IPs have been sending bogus requests to my DNS server. I would also like to find the program that does this, as every single request has come from the same port. Different IP address, sure, but the source port is always the same.

I'm also seriously tempted to write a program to send back a nice, custom response to these, in the hopes that the program actually cares about the response. The obvious thing to do is send back a response that contains an infinitely long domain name—it's not hard to do, just the right two bytes in the right location and you have an infinitely long name to parse (this is exploiting the DNS message compression scheme—spcdns has code to protect against this, by the way). Or maybe not an infinitely long domain name, but an insanely long one (again, easy to do by exploiting the message compression scheme, and again, spcdns has protection against this attack as well).

Perhaps better would be to return an answer to a question that was never asked to begin with. “Oh, you want any record for isc.org? Here, have the LOC record for nsa.gov. Have a nice day.” Or perhaps just echo back the original packet and really confuse the sending program.

But in doing some searching, this appears to be an old denial of service attack against Internet Systems Consortium (the makers of bind, quite possibly the most widely used DNS server) and as such, any bogus reponses would probably not do anything to the attacking software, which probably ignores any replies anyway.

Update on Wednesday, January 5th, 2012

Good thing I didn't send back any custom responses

Obligatory Picture

An abstract representation of where you're coming from]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

Obligatory AI Disclaimer

No AI was used in the making of this site, unless otherwise noted.

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.