Tightened DNS security question re: DNS amplification attacks.

Mark Andrews Mark_Andrews at isc.org
Tue Jan 27 21:06:07 CST 2009


In message <Pine.LNX.4.64.0901271739380.27614 at mail.pirk.com>, Steve Pirk writes
:
> On Wed, 28 Jan 2009, jay at miscreant.org wrote:
> 
> > Quoting John Martinez <jmartinez at zero11.com>:
> >
> >> Are we still seeing DNS DDoS attack?
> >
> > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
> >
> > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
> >
> 
> I run a small personal nameserver and even I am seeing requests for that 
> address 64.57.246.146 at ~1/sec.
> 
> How many people have upgraded to the latest version of Bind 9? Reason
> I ask is that when I do my nightly port scan of my server, I no longer see 
> named listening to udp on a random high order port (for replies I believe?). 
> Almost the next day, I started hearing about/seeing these DNS attacks.

	Totally unrelated.  Named now creates multiple listening
	ports on demand.

	Mark
 
> Previous nmap scan showed:
> 53/tcp    open          domain
> 53/udp    open|filtered domain
> 33591/udp open|filtered unknown
> 
> Now nmap shows:
> 53/tcp    open          domain
> 53/udp    open|filtered domain
> 
> The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
> The port was bound at startup time and did not change as long as named was 
> still running.
> --
> Steve
> Equal bytes for women.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org




More information about the NANOG mailing list