[Postfixbuch-users] DDOS ueber DNS

Uwe Driessen driessen at fblan.de
So Mai 3 02:21:58 CEST 2009 

Ich bin da durch Zufall evtl. auf ein Problem gestoßen

DNS Anfragen die Fragmentation needed auf meinem DNS Server auslösten.

Der Sache bin ich nachgegangen und habe ständige Anfragen für TXT turan-online.info
entdeckt.

Das Perfide daran ist der TXT Eintrag 

;turan-online.info.             IN      ANY
 
 ;; ANSWER SECTION:
 turan-online.info.      604800  IN       TXT
"ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccccccccccccccccccccccccccccc"
 turan-online.info.      604800  IN      TXT
"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddddddddddd"
 turan-online.info.      604800  IN      TXT
"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
 turan-online.info.      604800  IN      TXT
"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffff"
 turan-online.info.      604800  IN      TXT
"ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg
ggggggggggggggggggggggggggggggggggggggg"
 turan-online.info.      604800  IN      TXT
"hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh"
 turan-online.info.      604800  IN      TXT
"iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
 turan-online.info.      604800  IN      TXT
"jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj"
 turan-online.info.      604800  IN      TXT
"kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk"
 turan-online.info.      604800  IN      TXT
"lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
lllllllllllllllllllllllllllllllllllllll"
 turan-online.info.      604800  IN      TXT
"mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm"
 turan-online.info.      604800  IN      TXT
"nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn"
 turan-online.info.      604800  IN      TXT
"ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
ooooooooooooooooooooooooooooooooooooooo"
 turan-online.info.      604800  IN      TXT
"ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppp"
 turan-online.info.      604800  IN      TXT
"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
 turan-online.info.      604800  IN      TXT
"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr"
 turan-online.info.      604800  IN      TXT
"sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
sssssssssssssssssssssssssssssssssssssss"
 turan-online.info.      604800  IN      TXT
"ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
ttttttttttttttttttttttttttttttttttttttt"
 turan-online.info.      604800  IN      TXT
"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu"
 turan-online.info.      604800  IN      TXT
"vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"
 turan-online.info.      604800  IN      TXT
"wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww"
 turan-online.info.      604800  IN      TXT
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 turan-online.info.      604800  IN      TXT
"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
 turan-online.info.      604800  IN      TXT
"zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
 turan-online.info.      604800  IN      TXT
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 turan-online.info.      604800  IN      TXT
"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
 turan-online.info.      604800  IN      A       123.34.20.10
 turan-online.info.      604800  IN      SOA     ns1.nsnoc.com. admin.turan-online.info.
2009040723 7200 7200 604800 864000
 turan-online.info.      604800  IN      NS      ns1.nsnoc.com.
 turan-online.info.      604800  IN      NS      ns3.nsnoc.net.
 turan-online.info.      604800  IN      NS      ns2.nsnoc.com.
 turan-online.info.      604800  IN      NS      ns4.nsnoc.net.
 
 ;; AUTHORITY SECTION:
 turan-online.info.      604800  IN      NS      ns3.nsnoc.net.
 turan-online.info.      604800  IN      NS      ns1.nsnoc.com.
 turan-online.info.      604800  IN      NS      ns4.nsnoc.net.
 turan-online.info.      604800  IN      NS      ns2.nsnoc.com.
 
 ;; ADDITIONAL SECTION:
 ns1.nsnoc.com.          172797  IN      A       195.69.95.112
 ns2.nsnoc.com.          172797  IN      A       195.69.95.114 

alle Anfragen kommen nicht aus dem eigenen Netz sondern von extern 91.202.63.136.
Ich nehme aber an das die Absenderadresse mit sehr hoher Wahrscheinlichkeit gefälscht ist.

Jetzt werden für die Angriffe schon extra DNS Einträge genommen bzw. ich kann diesen TXT
Eintrag nur als für eine Attacke genierten werten 

Den DNS Betreiber habe ich auch schon angeschrieben mal schauen was sich da tut.
Alle meine DNS-Server wurden so präpariert das nur noch für die eigenen Netze der resolver
befragt wird bzw. für Fremde nur noch auf Anfragen zu selbst gehostete DNS Einträgen
geantwortet wird.  

Das ganze scheint eine Abwandlung von 
http://netzhappen.de/2009/02/06/neue-form-von-dns-amplification-erleichtert-ddos-angriffe/


Mit freundlichen Grüßen

Drießen

-- 
Software & Computer
Uwe Drießen
Lembergstraße 33
67824 Feilbingert
Tel.: +49 06708 / 660045   Fax: +49 06708 / 661397

Mehr Informationen über die Mailingliste Postfixbuch-users