Yesterday I posted an article regarding the importance of ACLs in BIND because a client’s DNS server was under extreme load and, at the time, I believed it was because a network of web form spammers was outsourcing their lookups to the target. Upon further investigation it turned out that this was not the case – the hosts were indeed a part of some sort of spamming ring/botnet but they were actually performing endless repeated ANY lookups on isc.org – the producers of BIND, among other things.

The whole attack doesn’t make any sense; if they wanted to involve this server in the attack against isc they would be wasting reams of bandwidth that could otherwise have been applied directly, unless they knew both recursive lookups were allowed and caching was disabled. Even with no recursive ACL at the time the only server suffering was my client’s thanks to caching and there is no conceivable reason, in my mind, that a spam network would be targeting this specific dns server among many in its address space – from one source address at a time. Fortunately adding a recursive ACL reduced the bandwidth impact but it did not stop the scans, and bandwidth is a pricey commodity after all.

I whipped out wireshark and took a sample capture, these are the contents of a typical request packet:

0000  00 16 3e bb 00 02 00 16  3e cc 00 02 08 00 45 00   ..>..... >.....E.
0010  00 40 8b 0d 00 00 e9 11  d7 93 d1 0b f2 7b 00 00   .@...... .....{..
0020  00 00 63 01 00 35 00 2c  00 00 2a 39 01 00 00 01   ..c..5., ..*9....
0030  00 00 00 00 00 01 03 69  73 63 03 6f 72 67 00 00   .......i sc.org..
0040  ff 00 01 00 00 29 10 00  00 00 80 00 00 00         .....).. ......

Next it was just a matter of crafting a suitable snort rule for the upstream gateway:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org DDoS"; content:"|03 69 73 63 03 6f 72 67 00|"; reference:foxpa.ws,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)

Now I’m kicking back, watching the spammer network expose itself as its constituent hosts smack against the firewall like bugs against a windshield.

If only I had some beer.

See how this story progressed: