BLOGTIMES
::
Home > Security > ArchiveList > 2009-1
«Prev || 1 || Next»
2009/01/21
[ by hsur at 01:45]

"."というDNSクエリが大量に来ている

 

昨日くらいからいくつかのサーバの/var/log/messagesが下記のようなログで埋め尽くされるようになってしまいました。

Jan 21 01:21:13 silesia named[23995]: client 66.230.160.1#24898: view global: query (cache) './NS/IN' denied
Jan 21 01:21:13 silesia named[23995]: client 66.230.128.15#34443: view global: query (cache) './NS/IN' denied
Jan 21 01:21:15 silesia named[23995]: client 66.230.160.1#14023: view global: query (cache) './NS/IN' denied
Jan 21 01:21:15 silesia named[23995]: client 66.230.160.1#24622: view global: query (cache) './NS/IN' denied
Jan 21 01:21:15 silesia named[23995]: client 66.230.128.15#59236: view global: query (cache) './NS/IN' denied

こういうのは何かの攻撃の前触れだろうということで調べてみると、SANSに以下のような記事が載っていました。なんらかのDoS攻撃のようです。

DNS queries for "."

Several folks are reporting odd queries hitting their DNS servers at a steady rate of about two per second. The queries invariably ask for the name server of the domain "." (NS query for a single dot). Since "." is a query for the root name servers, it has a very short query packet but a pretty long answer. Our current theory therefore is that this is a denial of service (DoS) attack in progress, where the DNS servers are used as "amplifiers" and unwittingly flood the (spoofed) source by providing a long answer to a system which never asked.

とりあえずサーバが再帰的問い合わせをしていなければ問題ないようです。僕の管理下のサーバは外部からの再帰問い合わせに答えないようには設定してあるのですが、念のためにSANSで公開されているDNS Test"."というクエリにサーバが応答しないか調べてみました。

 [続きを読む...]
Category: Security | | Comment(0) | TrackBack(0) | Permalink |
«Prev || 1 || Next»
::
Home > Security > ArchiveList > 2009-1
Copyright © 2004-2010 by CLES All Rights Reserved.
sp-20100319070021644595552@cles.net