[ratelimits] error in amplification attack
Michael Sinatra
michael+lists at burnttofu.net
Tue Nov 13 18:05:27 UTC 2012
On 11/13/12 8:38 AM, Lyle Giese wrote:
> I am seeing this in our logs now:
>
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#63663: view
> external: query (cache) 'lcrcomputer/ANY/IN' denied
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#9119: view
> external: query (cache) 'lcrcomputer/ANY/IN' denied
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#33665: view
> external: query (cache) 'lylegiese/ANY/IN' denied
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#54595: view
> external: query (cache) 'lcrcomputer/ANY/IN' denied
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#11802: view
> external: query (cache) 'lcrcomputer/ANY/IN' denied
> Nov 12 07:36:24 linux named[18188]: client 199.59.163.143#13852: view
> external: query (cache) 'lcrcomputer/ANY/IN' denied
>
> It would appear that they are missing the .<suffix>. I don't know what
> reply my server gives back in this case. Would it be of any use to
> apply rate limiting to this case also?
Yup. This attack is making the rounds. It only includes the first
prefix of any domain--even third-level domains are used in this attack,
but only the first prefix (text before the first dot) appears in the
attack. It's a busted attack script, IMO.
In terms of what response your server is giving, I would actually hope
it's REFUSED or SERVFAIL. These TLDs are out-of-bailiwick for an
authoritative server and your recursive server shouldn't be answering to
unknown clients. In my case, my servers are responding with REFUSED,
and the repeated identical responses are causing RRL to clamp down hard.
In this case, this is a Good Thing.
michael
More information about the ratelimits
mailing list