Results 1 to 9 of 9
  1. #1
    Join Date
    Apr 2005
    Location
    Tinterweb
    Posts
    555

    NAMED attack - spoofed IP's

    Over the past few days I have noticed thousands of these entries:

    Oct 14 08:22:48 clipper named[24100]: client 14.17.65.170#718: view external: error sending response: host unreachable
    Oct 14 08:22:53 clipper named[24100]: client 190.115.19.47#870: view external: error sending response: host unreachable
    Oct 14 08:23:07 clipper named[24100]: client 190.115.19.55#507: view external: error sending response: host unreachable
    Oct 14 08:23:16 clipper named[24100]: client 14.17.65.170#891: view external: error sending response: host unreachable
    Oct 14 08:23:26 clipper named[24100]: client 190.115.19.54#769: view external: error sending response: host unreachable
    Oct 14 08:23:30 clipper named[24100]: client 14.17.65.170#545: view external: error sending response: host unreachable
    Oct 14 08:23:37 clipper named[24100]: client 14.17.65.170#146: view external: error sending response: host unreachable
    Oct 14 08:23:42 clipper named[24100]: client 59.63.181.109#273: view external: error sending response: host unreachable
    Oct 14 08:23:47 clipper named[24100]: client 190.115.19.45#643: view external: error sending response: host unreachable
    Oct 14 08:23:58 clipper named[24100]: client 190.115.19.56#941: view external: error sending response: host unreachable
    Oct 14 08:24:10 clipper named[24100]: client 115.239.226.154#789: view external: error sending response: host unreachable
    Oct 14 08:24:23 clipper named[24100]: client 115.239.226.154#756: view external: error sending response: host unreachable
    Oct 14 08:24:26 clipper named[24100]: client 190.115.19.45#822: view external: error sending response: host unreachable
    I keep blocking the IP addresses which will help for a few hours, then another batch will start attacking.

    Any idea how this can be stopped ? I have heard of PHREL, any good ?
    C program run. C program crash. C programmer quit.

  2. #2
    Join Date
    Jul 2011
    Location
    Sittingbourne, Kent, UK
    Posts
    194
    Do you have DNS recursion enabled on the server ?
    RackSRV Communications Limited
    UK specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  3. #3
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  4. #4
    Join Date
    Apr 2005
    Location
    Tinterweb
    Posts
    555
    I have the following under options (named.conf):
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
    Last edited by LP560; 10-14-2013 at 04:56 AM.
    C program run. C program crash. C programmer quit.

  5. #5
    Join Date
    Apr 2005
    Location
    Tinterweb
    Posts
    555
    I seem to be getting thousands of these now - they go on for 3-4hrs, stop for an hour or so, then start again.
    C program run. C program crash. C programmer quit.

  6. #6
    Join Date
    Apr 2005
    Location
    Tinterweb
    Posts
    555
    Finally after many days of troubleshooting I've found a fix. I run APF firewall, but the firewall blocks ports 1024 and below.

    Edit: /etc/apf/firewall

    Find these two lines:
    $IPT -A OUTPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    And change to:

    $IPT -A OUTPUT -p tcp --dport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -p udp --dport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    Restart APF.
    C program run. C program crash. C programmer quit.

  7. #7
    Also block DNS version being displayed
    Install csf firewall to stop such flooding

  8. #8
    Quote Originally Posted by my247webhosting View Post
    Also block DNS version being displayed
    Install csf firewall to stop such flooding
    He mentioned that he is using APF so CSF and APF will not work simultaneously. He will have to select either of them.

  9. #9
    csf firewall handles these issues perfectly. It is easy to install and handle also.

Similar Threads

  1. Help needed, my server has been detected for spoofed bingbot attack against WP
    By iworkstudent84 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-23-2013, 05:36 AM
  2. How to revert back from named-wrapper -u named to /usr/sbin/named -u named?
    By sodapopinski in forum Hosting Security and Technology
    Replies: 0
    Last Post: 10-26-2009, 08:46 AM
  3. need help finding spoofed IP
    By picantel in forum Hosting Security and Technology
    Replies: 3
    Last Post: 01-10-2008, 08:54 PM
  4. D.O.S problem ?? attack on named - HELP ME
    By ForceHosting in forum Hosting Security and Technology
    Replies: 1
    Last Post: 08-29-2007, 06:45 PM
  5. named attack
    By Tomcatf14 in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-18-2005, 05:18 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •