Protection against any attack – dns attack any query

ISC.ORG any ATTACK - dns attack any query

An attack on udp port 53 is spreading around these days ( any query attack) Attack is like this:

Attacker sends a small udp packet using victims ip as source to nameservers around the internet. Packet contains a dns query like .. "send me all info about the domain". The dns server replies to the real victim with a large packet containing all info about" . This looks easy.. but attacker sends this query to many servers at once and they all reply to the real victim. any attack from tcpdump  :

23:19:15.165596 IP x.x.x.x.7185 > yourdnsserver.53: 13442+ [1au] ANY? (37)

bind logs :

20:28:00.643 client x.x.x.x#49046: query: IN ANY +ED (x.x.x.x)

If you see this in your logs keep in mind that you are not the victim; x.x.x.x is the victim! and your server will reply to x.x.x.x.


Here's why this attackers use query / any attack :

# dig @ any | grep SIZE

;; MSG SIZE  rcvd: 337

# dig @ any | grep SIZE
;; MSG SIZE  rcvd: 2999
reply from (google public dns server) when asked about is large

How it works any attack - dns attack any query

Attacker assumes:
1. he can send fake packets (using victims ip as source); this is possible because internet works by destination routing.. (packets are sent to their destination without checking their source); some ISPs protect against this by checking that their clients are sending packets only using their asigned ip addresses (reverse path filtering); … still, there are many ISPs out there that dont dont use this filtering and will pass spoofed packets towards their destination;
2. he can find open dns servers; dns servers that will reply to any query to anyone that asks; and there are many like this on the internet; (soho routers; dns servers with default configurations .. etc);
Both conditions are easy to match today. It's only a matter of size: if someone has enough hosts to send these packets from (infected windows machines, hacked servers etc..) …  anything can happen

How to protect against any attack - dns attack any query

Protect your dns server against any attack
Step 1 to protect against any attack
THIS IS A MUST: configure your dns NOT to accept resolution requests from unauthorized IPs.. if possible, when caching-only dns.. block udp port 53 from unauthorized IPs towards your server from firewall;
in bind:
include "/etc/namedb/acl.conf";
option in named.conf:
        allow-query     {"our-networks";};
        allow-transfer {"transferip";};
in acl.conf:
acl "our-networks" {;
acl "transferip" {;


Step 2 to protect against any attack




If only few sources try to find where these packets are coming from and block them there..


Step 3 to protect against any attack




limit udp port 53 on your server:
something like this i guess:
iptables -A INPUT -p udp -m connlimit –connlimit-above xx -j DROP
this might have impact: maybe clients are forwarding dns requests to your ns and regular queries will not work right;
Step 4 to protect against any attack
 iptables can do:
iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP
which would match that exact query;
or you could try to find out the exact size of the packet (use wireshark) used for this attack and then block it:
iptables -I INPUT -p udp –dport 53 -m length –length xx -j DROP

Show MY IP information

other how to posts any attack any any any any any any attack any any any any any any attack

One thought on “Protection against any attack – dns attack any query

  1. Pingback: ANY query – Attack | USmith Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × nine =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>