* * * * *

                              An annoying attack

It looks like today is “Attack Day.” I run a program to show the output from
syslog in real time (it's part of my syslogintr [1] project) and (like right
as I type this) I'm seeing a slew of bogus DNS (Domain Name Service) queries:

> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
> security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
>

And not just from that IP (Internet Protocol) address either—so far 87
different IPs have been sending bogus requests to my DNS server. I would also
like to find the program that does this, as every single request has come
from the same port. Different IP address, sure, but the source port is always
the same.

I'm also seriously tempted to write a program to send back a nice, custom
response to these, in the hopes that the program actually cares about the
response. The obvious thing to do is send back a response that contains an
infinitely long domain name—it's not hard to do, just the right two bytes in
the right location and you have an infinitely long name to parse (this is
exploiting the DNS message compression scheme—spcdns [2] has code to protect
against this, by the way). Or maybe not an infinitely long domain name, but
an insanely long one (again, easy to do by exploiting the message compression
scheme, and again, spcdns has protection against this attack as well).

Perhaps better would be to return an answer to a question that was never
asked to begin with. “Oh, you want any record for isc.org? Here, have the LOC
(Location) record for nsa.gov. Have a nice day.” Or perhaps just echo back
the original packet and really confuse the sending program.

But in doing some searching, this appears to be an old denial of service
attack against Internet Systems Consortium [3] (the makers of bind [4], quite
possibly the most widely used DNS server) and as such, any bogus reponses
would probably not do anything to the attacking software, which probably
ignores any replies anyway.

Update on Wednesday, January 5^th, 2012

Good thing I didn't send back any custom responses [5] …


[1] https://github.com/spc476/syslogintr
[2] https://github.com/spc476/SPCDNS
[3] http://www.isc.org/
[4] http://www.isc.org/software/bind/
[5] gopher://gopher.conman.org/0Phlog:2012/01/05.1

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.