Home / server / Questions / 449680
Accepted
Waleed Hamra
Asked: 2012-11-18 02:55:52 +0800 CST

possible UDP attack on BIND?

  • 772

hello everyone,

i was surprised last month when my EC2 instance (ubuntu precise server), that is supposed to be under the free tier still, accumulated lots of traffic... today, while checking my current billing statement, i noticed i already have tons of traffic, while still in the middle of the month, and i'm fearing what my bill by the end of the month is going to be...

i installed bandwidthd, and after few minutes, i noticed lots of UDP traffic to "108.162.233.15". this is apparently a cloudflare IP, and i don't have anything using cloudflare (as far as i know).

so i ran "iftop" to see what ports are being used, and i saw the UDP traffic coming from port 80 to my port 53... why would a webserver query dns?

so i stopped bind on my server, and ran it in foreground debugging mode, and saw the following query, being repeated continuously:

17-Nov-2012 12:30:58.216 client 108.162.233.15#80: UDP request
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: request is not signed
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: recursion available
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: query
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: query (cache) 'isc.org/ANY/IN' approved
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: send
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: sendto
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: senddone
17-Nov-2012 12:30:58.217 client 108.162.233.15#80: next
17-Nov-2012 12:30:58.217 client 108.162.233.15#80: endrequest
17-Nov-2012 12:30:58.217 client @0x7fbee05126e0: udprecv
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: UDP request
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: request is not signed
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: recursion available
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: query
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: query (cache) 'isc.org/ANY/IN' approved
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: send
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: sendto
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: senddone
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: next
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: endrequest

my question is... is this normal? should i be worried? or is this completely irrelevant to my data charges, and i should wait to see more data from bandwidthd?

thank you in advance.

ubuntu

1 Answers

  1. Best Answer

    It looks to me your server is being used in a DNS amplification attack.
    I don't know the pricing model of Amazon EC2, but I'd be surprised if this traffic didn't count.

    It works like this:
    Someone is sending a DNS query to your server with the spoofed IP 108.162.233.15.
    Your server answers this query to the real victim - 108.162.233.15.
    The query is pretty small, but the answer is quite big (check dig -t ANY isc.org).

    The real question is, why does your server answer these queries?
    Are you intentionally running an public recursive DNS for everybody to use?

    If not, you need to disable recursion or limit it to trusted/known clients (recursion no; and allow-query-cache {none;};).

    • 7