Wednesday, January 04, 2012
An annoying attack
It looks like today is “Attack Day.” I run a program to show the
output from syslog
in real time (it's part of my syslogintr
project) and (like right as I type this) I'm seeing a slew of bogus DNS queries:
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
And not just from that IP address either—so far 87 different IPs have been sending bogus requests to my DNS server. I would also like to find the program that does this, as every single request has come from the same port. Different IP address, sure, but the source port is always the same.
I'm also seriously tempted to write a program to send back a nice, custom
response to these, in the hopes that the program actually cares about the
response. The obvious thing to do is send back a response that contains an
infinitely long domain name—it's not hard to do, just the right two bytes
in the right location and you have an infinitely long name to parse (this is
exploiting the DNS message
compression scheme—spcdns
has code to
protect against this, by the way). Or maybe not an infinitely long domain
name, but an insanely long one (again, easy to do by exploiting the message
compression scheme, and again, spcdns
has protection against
this attack as well).
Perhaps better would be to return an answer to a question that was never
asked to begin with. “Oh, you want any record for isc.org
?
Here, have the LOC record for
nsa.gov
. Have a nice day.” Or perhaps just echo back the
original packet and really confuse the sending program.
But in doing some searching, this appears to be an old denial of service
attack against Internet
Systems Consortium (the makers of bind
, quite possibly the
most widely used DNS server)
and as such, any bogus reponses would probably not do anything to the
attacking software, which probably ignores any replies anyway.