EvilZone
Hacking and Security => Hacking and Security => : DamonX February 26, 2013, 06:00:36 PM
-
Hi,
I am working on a project where we are analyzing DNS logs for potential attacks. I know its DDoS attack but I want to go a little deep to get more insight of whats going on.
Can someone please give me more insight on who is attacking and who's the target here for these couple logs:
24-Jan-2012 00:05:37.427 security: info: client 202.108.12.146#48073: query (cache) './NS/IN' denied
I know IP address (202.108.12.146) is coming from China, and its requesting root server, but who is the target here. Its also a DDoS attack but who are they targeting.?
24-Jan-2012 07:22:56.921 security: info: client 66.103.64.10#2816: query (cache) './A/IN' denied
Looks same as above but IP address is from L.A and now its ./A/IN. Same question, who is the target and whats going on.
This one is interesting:
24-Jan-2012 16:58:10.237 security: info: client 166.205.218.203#36710: query (cache) 'www.facebook.com/A/IN' denied
Does that mean Facebook is being attack and our DNS server is being used as botnet? I know its denying query becoz recursion is off but still are they targeting FB here?
I will really appreciate if anyone can provide me more info on there three lines.
Thanks
Damon
-
A quick Google search of the root Name Server query showed as one of the top results this: http://blog.tomh.us/post/72857274/blocking-recursive-root-dns-queries-with-iptables (http://blog.tomh.us/post/72857274/blocking-recursive-root-dns-queries-with-iptables)
This guy had exactly the same problem back in '09 and also shows you how to fix it.
-
I understand that its a DDoS attack but I was wondering if someone can analyze it and provide me more details.