-------Original Message------- From: NFOservers com DDoS notifier Date: 1/25/2014 8:07:18 AM To: [email protected] Subject: Open recursive resolver used for an attack: 103.31.251.124 You appear to be running an open recursive resolver at IP address 103.31.251.124 that participated in an attack against a customer of ours today, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size. Please consider reconfiguring your resolver in one or more of these ways: - To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in allow-query; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53) - To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in allow-query for the server overall but setting allow-query to any for each zone) - To rate-limit responses to individual source IP addresses (DNS Response Rate Limiting, or DNS RRL) More information on this type of attack and what each party can do to mitigate it can be found here: us-cert.gov/ncas/alerts/TA13-088A If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack. If you already have your resolver configured to rate-limit, please accept our apologies for bothering you. These attackers use any server that will respond, and they (and we) cant easily tell that the traffic is being rate-limited. If you contact us, we can whitelist your IP address in our database so that you dont receive more of these notifications for it. Example DNS responses from your resolver during this attack are given below. Times are PST (UTC-8), and the date is 2014-01-24. 16:46:14.683530 IP (tos 0x0, ttl 57, id 62179, offset 0, flags [+], proto UDP (17), length 1500) 103.31.251.124.53 > 74.91.122.231.31386: 23771 1/2/1 x.xipzersscc. TXT[|domain] 0x0000: 4500 05dc f2e3 2000 3911 414f 671f fb7c E.......9.AOg..| 0x0010: 4a5b 7ae7 0035 7a9a 0faa d245 5cdb 8180 J[z..5z....E\... 0x0020: 0001 0001 0002 0001 0178 0a78 6970 7a65 .........x.xipze 0x0030: 7273 7363 6303 636f 6d00 00ff 0001 c00c rsscc....... 0x0040: 0010 0001 0000 0aa1 0f43 d976 .........C.v 16:46:14.746288 IP (tos 0x0, ttl 57, id 62180, offset 0, flags [+], proto UDP (17), length 1500) 103.31.251.124.53 > 74.91.122.231.31386: 23771 1/2/1 x.xipzersscc. TXT[|domain] 0x0000: 4500 05dc f2e4 2000 3911 414e 671f fb7c E.......9.ANg..| 0x0010: 4a5b 7ae7 0035 7a9a 0faa d146 5cdb 8180 J[z..5z....F\... 0x0020: 0001 0001 0002 0001 0178 0a78 6970 7a65 .........x.xipze 0x0030: 7273 7363 6303 636f 6d00 00ff 0001 c00c rsscc....... 0x0040: 0010 0001 0000 0aa1 0f43 d976 .........C.v 16:46:14.809004 IP (tos 0x0, ttl 57, id 62181, offset 0, flags [+], proto UDP (17), length 1500) 103.31.251.124.53 > 74.91.122.231.31386: 23771 1/2/1 x.xipzersscc. TXT[|domain] 0x0000: 4500 05dc f2e5 2000 3911 414d 671f fb7c E.......9.AMg..| 0x0010: 4a5b 7ae7 0035 7a9a 0faa d245 5cdb 8180 J[z..5z....E\... 0x0020: 0001 0001 0002 0001 0178 0a78 6970 7a65 .........x.xipze 0x0030: 7273 7363 6303 636f 6d00 00ff 0001 c00c rsscc....... 0x0040: 0010 0001 0000 0aa1 0f43 d976 .........C.v -John President Nuclearfallout, Enterprises, Inc. (NFOservers)
Posted on: Sat, 25 Jan 2014 04:46:53 +0000
Trending Topics
Recently Viewed Topics
© 2015