Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 1849 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help - My DNS is under attack - I guess ...

Max_Nilsen
Hi all,

During the last copule of days my dns has been under some kind of attack...

Anyone know what it is ?

I created a drop-rule to stop the sources...

A screendump of livelog is attached.


This thread was automatically locked due to age.
  • 0
    the internal machine..is it a server?  if so what does it do?  what operating system?

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    It's a Windows 2003 server with primary dns-zones on it.
  • 0
    does it server dns internally externally or both?  is this box only a dns box?

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    It serves as an external dns.
    It also is a fileserver.
  • 0
    That's a hugely bad idea.  You do not want to have your internal file server directly accessible to the internet.  I am also assuming this is a active directory box.  If that's the case it's designed to allow dns from anywhere internally by default...you are also i bet a recursive dns for the inet as a whole as well and folks have found it.  

    get that machine off the inet..use it only for internal operations.  If you want to do external dns setup another box(preferably using Linux..you can use windows) and have it segregated form your internal lan.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    The server is placed in DMZ, and it's not AD, just ordinary DNS.
    The fileserver operatins is not for the internal-zone, it just contains "transfer" files between ftp and the internal sone.

    But, that was not the issue... have you seen such attach before ?
  • 0
    I still think you have the dns setup where it can be used for recursive queries for the whole internet.  check your servers dns logs to see if something weird is going on.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    The DNS has recursion disabled, nothing in the logs..
    No cached zones, no forwarders..
    Strange ...
    I've emailed the abuse-address and hostmaster of the ip-address, so I'll guess I just have to wait for an answer..
    It can't be a dos, it's to slow queries...2-3 pr. second..
  • 0
    i wouldn't do what your doing with a windows box...[:)]  Hopefully it's nothing..but that kind of traffic is hardly ever nothing.  I would do some tcpdumps on that and see what they are doing.  Your box may be compromised or something.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Cookie Information Banner