named outbond flood

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
nembulus
Posts: 19
Joined: 2014/03/29 00:31:04

named outbond flood

Post by nembulus » 2014/03/29 00:40:25

Hi,


Have anyone had a lot udp outbond flood ?
Flood traffic comes from named daemon, internal network asked a random domain resolve like this :

Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'sokmsmygoig.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vxedbsraw.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ksmlnqvek.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kripgnwxkpen.www.55sf.com/A/IN': 190.115.23.90#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'jqrod.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gtup.liebiao.800fy.com/A/IN': 42.120.248.232#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'mzcpklslupspab.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'svgdexetolwb.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'iuunznsyi.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'etytkbwbmhghqj.d2.xrsgt.com/A/IN': 182.140.167.166#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'apcxavwdglqfcxad.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nopdesthvwxym.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'srshmtohavwvinst.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'pwp.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vfqytttbanzhmdz.d2.xrsgt.com/A/IN': 122.225.217.192#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxyxivupajqxqj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gnkrehslabwjml.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkc.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 111.68.31.194#46501: query: csosbifsz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wrwnozidizahwtkv.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'zxf.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: client 49.128.180.66#51736: query: hhqjgmcgwdmqzrc.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'agzkxjbqkfx.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kbihw.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkvtorzjjdbmxjh.www.55sf.com/A/IN': 14.17.65.214#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.197#54280: query: aopdrsguvjkyz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nph.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'askmx.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'hrrsgvuqe.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxatgxorkfmbwd.www.55sf.com/A/IN': 115.29.179.112#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qbijkpkhgdurmh.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxlmrgohglsjakv.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'cwlpcsh.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ydobrdwiyvc.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qzwdanidgryj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'eojwyyo.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.70#42687: query: ixmjh.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg rsyslogd-2177: imuxsock begins to drop messages from pid 1416 due to rate-limiting


How we can block or limit this ?
Look forward for everyone's suggestion.
Thanks.

tim.t.burris
Posts: 1
Joined: 2014/07/25 18:34:38

Re: named outbond flood

Post by tim.t.burris » 2014/07/25 18:37:48

I was wondering if you had resolved this problem? --Tim

nembulus
Posts: 19
Joined: 2014/03/29 00:31:04

Re: named outbond flood

Post by nembulus » 2016/10/15 04:28:48

Still no have a clue to this issue ... anyone ??

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named outbond flood

Post by TrevorH » 2016/10/15 13:23:55

Is your DNS server exposed to the internet? Does it need to be? I suspect that the copy of bind in el5 is so old it has no controls that can be used to lock down the various reflection attacks that are used by people performing ddos attacks.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

nembulus
Posts: 19
Joined: 2014/03/29 00:31:04

Re: named outbond flood

Post by nembulus » 2016/11/04 07:51:54

yes .. i have to exposed my dns server to internet as resolver, because i running small isp network.
So i have to install non rhel bind packages ?

Nov 4 15:04:28 ns2smg named[11293]: client 116.33.161.78#34706: query (cache) 'kvgfyjyrolsxslgp.ttmj.weihainan.com/A/IN' denied
Nov 4 15:04:28 ns2smg kernel: IN=eth0 OUT= MAC=00:0c:29:c2:df:5d:fc:5b:26:15:07:b9:08:00 SRC=116.33.161.78 DST=111.68.27.4 LEN=81 TOS=0x00 PREC=0x00 TTL=237 ID=19873 DF PROTO=UDP SPT=34706 DPT=53 LEN=61


in fact ... those query nit come from my network, can i block it with iptables ?

Post Reply