Odd log messages from ISC BIND named

[Mark E. Mallett]

On Tue, Feb 03, 2009 at 12:44:01PM -0500, Chip Marshall wrote:
> On February 03, 2009, Ben Scott sent me the following:
> >   But none of those domain names are even close to valid, and while I
> > didn't check each and every one, it didn't look like there were any
> > repeats.  How would that lead to info about cached queries?
> 
> Oh, I thought you had obfuscared the query string along with the source
> IP. I should have read more carefully. Yeah, gibberish qnames wouldn't
> make sense for a cache probe.

But they might make sense for a reflection attack. An owned machine issues
a query with a forged source IP address; the answer from your nameserver
goes to that forged address. Even if the answer is just a SRVFAIL or
other "we don't do that here" response, it's still a response and it
serves to hide the identity of the source.

There's been a lot of that going on lately, using queries for the root
zone. When that's issued against a nameserver that allows recursion for
anybody, the return payload is much larger than the source packet, so
there's am amplification. When issued against a nameserver that doesn't
allow recursion for everyone, it's still a reflection attack that masks
the source.

It's possible that somebody's testing using random query names instead
of "." -- "." is pretty easy to look for in the logs, but the random
names are more difficult. (We get a pretty large constant number of
attempts to use our nameserver(s) recursively; anything that makes
spotting the DOS attemps difficult would be better for the attackers.)

Anyway that's just guessing. Eyeballing it, I haven't spotted any of
those random name queries in the logs here. I don't know what it really is,
am just adding to the noise here :)

mm