[unisog] odd traffic on udp 53 (variation on thread)
chmorl at wm.edu
Sat Nov 8 02:49:55 GMT 2003
Here is a follow-up to a post from a few weeks ago...
Over the past month, we have experienced several Denial of Service attacks
on our Cisco PIX firewall due to huge increases in DNS traffic.
Several observations to make. I may have seen this in earlier posts on
the list, but since I cannot seem to locate the archives anywhere any
longer I cannot confirm:
(1) We are seeing a substantial increase in the number of "normal" DNS
queries from spam bots traversing our network and infecting computers.
These DNS queries appear to be for names in legitimate DNS zones, but
repeated DNS queries go unanswered. This is presumably to hide the
identity of the spammers.
The traffic pattern we see is that a legitimate request comes to our DNS
servers. The local DNS servers can not answer it, so they ask the root
DNS to help them find an authoritative DNS server to find for that zone.
The root DNS responds and we query the appropriate server -- or so we
think. We never get a response.
We have observed these things trickle in at just a few a second, and then
they can balloon into hundreds (maybe more?) per second.
Some of the predominant DNS requests are for:
They query various DNS servers such as:
Our investigation thus far tells us that this is all related to spam bots
that infect student computers.
(2) Regarding the Cisco PIX, these DNS queries go unanswered and consume
resources on the PIX. After awhile, the resource consumption eventually
ties up the PIX firewall. Turning off DNS Guard appears to be the
workaround to keep the PIX firewall from getting DoS'ed.
If anyone has any relevant information to share, please send it my way.
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu
More information about the unisog