[ratelimits] error in amplification attack

Vernon Schryver vjs at rhyolite.com
Tue Nov 13 18:15:39 UTC 2012

> From: Lyle Giese <lyle at lcrcomputer.net>

> I am seeing this in our logs now:
> Nov 12 07:36:24 linux named[18188]: client view 
> external: query (cache) 'lcrcomputer/ANY/IN' denied

> It would appear that they are missing the .<suffix>.  I don't know what 
> reply my server gives back in this case.

Those DNS clients are getting DNS REFUSED error responses as shown by
this quick test from an IP address unlikely to be permitted by the
ACLs at ns1.lcrcomputer.net:

    % dig lcrcomputer @

    ; <<>> DiG 9.10.0pre-alpha <<>> lcrcomputer @
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49745
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ; EDNS: version: 0, flags:; udp: 4096
    ;lcrcomputer.                   IN      A

    ;; Query time: 669 msec
    ;; SERVER:
    ;; WHEN: Tue Nov 13 18:05:43 2012
    ;; MSG SIZE  rcvd: 40

>                                           Would it be of any use to 
> apply rate limiting to this case also?

REFUSED, SERVFAIL, and other DNS errors other than NXDOMAIN are
limited by the errors-per-second parameter.  Its default is the
value of the responses-per-second parameter.

} From: Andrew Sullivan <ajs at anvilwalrusden.com>

} Presumably a referral (at least I hope so).

Yes, if they were referrals instead of DNS REFEUSED errors forced
by an ACL, allow-recursion or other configuration settings.

] From: Hugo Salgado <hsalgado at nic.cl>

] My server (a small and personal domain) is under the same attack. It
] seems the attackers are looking only for TLDs, 

My first guess is broken software.
My second guess is even more vague and is about looking for local
names that with privileges for relaying mail or other powers.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list