Tightened DNS security question re: DNS amplification attacks.
Mark Andrews
Mark_Andrews at isc.org
Wed Jan 28 03:06:07 UTC 2009
In message <Pine.LNX.4.64.0901271739380.27614 at mail.pirk.com>, Steve Pirk writes
:
> On Wed, 28 Jan 2009, jay at miscreant.org wrote:
>
> > Quoting John Martinez <jmartinez at zero11.com>:
> >
> >> Are we still seeing DNS DDoS attack?
> >
> > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
> >
> > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
> >
>
> I run a small personal nameserver and even I am seeing requests for that
> address 64.57.246.146 at ~1/sec.
>
> How many people have upgraded to the latest version of Bind 9? Reason
> I ask is that when I do my nightly port scan of my server, I no longer see
> named listening to udp on a random high order port (for replies I believe?).
> Almost the next day, I started hearing about/seeing these DNS attacks.
Totally unrelated. Named now creates multiple listening
ports on demand.
Mark
> Previous nmap scan showed:
> 53/tcp open domain
> 53/udp open|filtered domain
> 33591/udp open|filtered unknown
>
> Now nmap shows:
> 53/tcp open domain
> 53/udp open|filtered domain
>
> The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
> The port was bound at startup time and did not change as long as named was
> still running.
> --
> Steve
> Equal bytes for women.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG
mailing list