View Full Version : Isp Says Dos Attack Being Conducted

19th December 2005, 16:36
After doing the perfect fc4 setup and inlcuding the BIND 9 server, I received a angry letter from my ISP that a computer at my IP address is conducting a DOS attack on another client, recusive dns queries on excess of 6GB???? Anyhow, this is the second warning and if it continues I will be suspended. They also give a link to a secure BIND script that has no instructions on how to apply it.
Does anyone know whats going on and how I am able to stop it?

Any help would be nice.


19th December 2005, 16:48
Is the IP of the other client in your /etc/resolv.conf file?

Have you checked your server with a rootkit scanner like rkhunter from http://www.rootkit.nl?

20th December 2005, 16:25
Thanks for the fast response. On the /etc/resolv.conf file I only have the DNS server list for my ISP. Also did a rootkit scan as you recommended and everything passed OK. I have BIND version 9.3.1, under chroot /var/named/chroot which I believe is the secure version.

Here is my named.conf file which was created by Webmin

// named.conf for Red Hat caching-nameserver

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
// query-source address * port 53;


// a caching only nameserver config
controls {
inet allow { localhost; } keys { rndckey; };

zone "." IN {
type hint;
file "named.ca";

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };

include "/etc/rndc.key";
zone "ABC.DEF.GHI.in-addr.arpa" {
type master;
file "/var/named/ABC.DEF.GHI.rev";
zone "virtualdomain1.com" {
type master;
file "/var/named/virtualdomain1.hosts";

I am guessing my problem is named.conf, I have seen other examples of it and they have different Views and ACL's??

Part of the ISP letter:

Reported Incident:

All time stamps are based on time zone: -600 Recursive DNS lookup DOS attack:

Please, stop allowing open recursive lookups from external sources.

We've all seen a few related posts recently on related DNS amplification attacks here and it's getting progressively worse. The latest victim has been undergoing DOS attacks on a daily basis well in excess of 6GB/s for several weeks and it is _really_ hurting their business. We'd like to solicit as much help as possible from everyone in order to prevent the next victim from being one of us.

To help customers in cleaning up their DNS configurations, a secure BIND configuration template can be found at: http://www.cymru.com/Documents/secure-bind-template.html.

Any ideas???

20th December 2005, 17:18
If you don't need Bind on your server, I'd simply shut it down and close port 53 with a firewall.