[Unbound-users] unbound vs fast flux botnets?
Felix Schueren
felix.schueren at hosteurope.de
Tue Aug 31 08:47:49 UTC 2010
I'm curious as to whether this is a DoS scenario for unbound:
looking at my requestlist, I see:
~# unbound-control dump_requestlist | egrep
'(trassae95.com|kizilyagoda.com)'
14 AAAA IN ns1.trassae95.com. - iterator wait for (empty_list)
19 AAAA IN ns1.kizilyagoda.com. - iterator wait for (empty_list)
30 AAAA IN ns2.trassae95.com. - iterator wait for 200.65.141.192
37 AAAA IN ns2.kizilyagoda.com. - iterator wait for 201.172.22.103
44 AAAA IN ns3.trassae95.com. - iterator wait for (empty_list)
46 AAAA IN ns3.kizilyagoda.com. - iterator wait for (empty_list)
50 AAAA IN ns4.trassae95.com. - iterator wait for (empty_list)
52 AAAA IN ns4.kizilyagoda.com. - iterator wait for (empty_list)
102 A IN bihjgiajc.kizilyagoda.com. 24.987797 iterator wait for
(empty_list)
105 A IN bcdbciidgb.kizilyagoda.com. 5.753630 iterator wait for
121.94.2.105
106 A IN bigggjhdaj.kizilyagoda.com. 36.242830 iterator wait for
(empty_list)
107 A IN cefbhcbfej.kizilyagoda.com. 18.705449 iterator wait for
(empty_list)
108 A IN cibdhgghee.trassae95.com. 46.999489 iterator wait for
(empty_list)
153 MX IN bidfgcgcb.trassae95.com. 43.033308 iterator wait for
(empty_list)
154 MX IN eijcecafg.kizilyagoda.com. 14.677905 iterator wait for
(empty_list)
156 MX IN jiheheceb.kizilyagoda.com. 23.593555 iterator wait for
(empty_list)
159 MX IN bafcebjjfd.trassae95.com. 56.225519 iterator wait for
(empty_list)
160 MX IN bbjbhegbdd.trassae95.com. 6.782797 iterator wait for
201.173.217.27
161 MX IN beehifddij.trassae95.com. 32.657037 iterator wait for
(empty_list)
163 MX IN chgeecgjei.trassae95.com. 42.891975 iterator wait for
(empty_list)
164 MX IN chggafffeg.trassae95.com. 57.039805 iterator wait for
(empty_list)
165 MX IN cibdhgghee.trassae95.com. 29.959160 iterator wait for
(empty_list)
166 MX IN cjcfdgahdd.kizilyagoda.com. 42.532783 iterator wait for
(empty_list)
167 MX IN dbibddegca.kizilyagoda.com. 24.534594 iterator wait for
(empty_list)
168 MX IN ddidejiidj.trassae95.com. 17.606406 iterator wait for
(empty_list)
169 MX IN dhcfgjahdg.trassae95.com. 14.205446 iterator wait for
(empty_list)
210 AAAA IN dbjajadij.kizilyagoda.com. 18.589665 iterator wait for
(empty_list)
211 AAAA IN effjgciba.kizilyagoda.com. 10.629990 iterator wait for
201.172.22.103
212 AAAA IN bcdbciidgb.kizilyagoda.com. 23.751077 iterator wait for
(empty_list)
213 AAAA IN bcjgdedhgf.kizilyagoda.com. 49.471699 iterator wait for
(empty_list)
227 ANY IN daebjfbif.trassae95.com. 37.545012 iterator wait for
(empty_list)
228 ANY IN fggjjijag.trassae95.com. 1.158926 iterator wait for 76.17.135.60
229 ANY IN hehfbadjf.trassae95.com. 58.035129 iterator wait for
(empty_list)
230 ANY IN jjfhbaadd.trassae95.com. 16.369137 iterator wait for
(empty_list)
231 ANY IN dbcigchgee.kizilyagoda.com. 26.548473 iterator wait for
(empty_list)
232 ANY IN deeehjifcg.trassae95.com. 56.486064 iterator wait for
(empty_list)
233 ANY IN djdijbiabc.trassae95.com. 13.935859 iterator wait for
(empty_list)
234 ANY IN ebhdhfbijh.kizilyagoda.com. 30.264298 iterator wait for
(empty_list)
235 ANY IN ecciiidfib.trassae95.com. 47.413911 iterator wait for
(empty_list)
236 ANY IN ecgbhaabic.trassae95.com. 8.157523 iterator wait for
200.65.141.192
looking at actual traffic shows:
10:40:49.888111 IP a.b.c.d.60389 > 121.94.2.105.53: 64660 MX?
eccjahaace.kizilyagoda.com. (44)
10:40:49.889058 IP a.b.c.d.39768 > 201.172.22.103.53: 46921 AAAA?
beafbbggag.kizilyagoda.com. (44)
10:40:49.938592 IP a.b.c.d.12451 > 201.172.22.103.53: 38084 MX?
bcahcieedg.kizilyagoda.com. (44)
10:40:50.076585 IP e.f.g.h.33264 > n.s.n.s.53: 10782+ MX?
eccjahaace.kizilyagoda.com. (44)
10:40:50.076743 IP a.b.c.d.4904 > 121.94.2.105.53: 48147 MX?
eccjahaace.kizilyagoda.com. (44)
10:40:50.091747 IP a.b.c.d.34322 > 41.140.225.74.53: 33096 ANY?
cbgdhefegh.kizilyagoda.com. (44)
10:40:50.145489 IP a.b.c.d.16663 > 200.65.141.192.53: 2701% AAAA?
ns2.trassae95.com. (35)
10:40:50.146577 IP a.b.c.d.28988 > 41.140.225.74.53: 31688 ANY?
dahgabajea.kizilyagoda.com. (44)
10:40:50.152974 IP a.b.c.d.38972 > 97.93.83.32.53: 39798% AAAA?
ns2.kizilyagoda.com. (37)
10:40:50.191253 IP a.b.c.d.41846 > 201.172.22.103.53: 33606 MX?
ceehjahebd.kizilyagoda.com. (44)
10:40:50.199559 IP a.b.c.d.21348 > 41.140.225.74.53: 16574 MX?
jgbiehbdf.kizilyagoda.com. (43)
10:40:50.223359 IP a.b.c.d.52152 > 201.172.22.103.53: 52049 A?
djjbafbifh.kizilyagoda.com. (44)
10:40:50.290392 IP a.b.c.d.63374 > 41.140.225.74.53: 3752 MX?
daefiegdi.kizilyagoda.com. (43)
10:40:50.313030 IP a.b.c.d.30161 > 121.94.2.105.53: 56993 AAAA?
daefiegdi.kizilyagoda.com. (43)
10:40:50.319424 IP a.b.c.d.6357 > 121.94.2.105.53: 14855 A?
ehbdcdddh.kizilyagoda.com. (43)
10:40:50.381734 IP a.b.c.d.7965 > 200.65.141.192.53: 8121% AAAA?
ns2.trassae95.com. (35)
10:40:50.441657 IP a.b.c.d.46522 > 192.41.162.30.53: 33130% [1au] AAAA?
ns2.kizilyagoda.com. (48)
10:40:50.445861 IP a.b.c.d.61172 > 76.17.135.60.53: 29773 MX?
bdbdiaicag.trassae95.com. (42)
5 minutes later, my requestlist looks like this:
~# unbound-control dump_requestlist | egrep
'(trassae95.com|kizilyagoda.com)'
17 AAAA IN ns1.trassae95.com. - iterator wait for (empty_list)
31 AAAA IN ns2.trassae95.com. - iterator wait for 85.87.67.158
35 AAAA IN ns2.kizilyagoda.com. - iterator wait for 97.93.83.32
44 AAAA IN ns3.trassae95.com. - iterator wait for (empty_list)
52 AAAA IN ns4.trassae95.com. - iterator wait for (empty_list)
109 A IN chaiigdgij.kizilyagoda.com. 2.938054 iterator wait for
121.94.2.105
110 A IN dfgegjgheb.trassae95.com. 33.070671 iterator wait for
(empty_list)
121 NS IN trassae95.com. 29.149289 iterator wait for (empty_list)
142 MX IN daefiegdi.kizilyagoda.com. 1.451479 iterator wait for
121.94.2.105
143 MX IN eajheadji.trassae95.com. 56.069476 iterator wait for
(empty_list)
145 MX IN bfigbabiej.trassae95.com. 1.128736 iterator wait for
76.17.135.60
146 MX IN bicejjaaha.trassae95.com. 56.627532 iterator wait for
(empty_list)
148 MX IN cgfahaehff.trassae95.com. 28.788023 iterator wait for
(empty_list)
150 MX IN cgjghfbibg.kizilyagoda.com. 7.776240 iterator wait for
97.93.83.32
151 MX IN chifiabbga.trassae95.com. 74.762737 iterator wait for
(empty_list)
152 MX IN cibdhgghee.trassae95.com. 49.946996 iterator wait for
(empty_list)
153 MX IN ddcajcbbid.trassae95.com. 92.546959 iterator wait for
(empty_list)
155 MX IN djhhifdfdf.trassae95.com. 51.565734 iterator wait for
(empty_list)
171 AAAA IN ns2.trassae95.com. 171.901942 iterator wait for (empty_list)
172 AAAA IN ns2.kizilyagoda.com. 173.880025 iterator wait for 97.93.83.32
199 ANY IN bacfddaec.trassae95.com. 62.756320 iterator wait for
(empty_list)
200 ANY IN bidfgcgcb.trassae95.com. 20.974421 iterator wait for
(empty_list)
201 ANY IN fhhghbdgj.trassae95.com. 22.437517 iterator wait for
(empty_list)
202 ANY IN fidhefgef.trassae95.com. 81.784578 iterator wait for
(empty_list)
204 ANY IN iicghjjbh.trassae95.com. 80.217386 iterator wait for
(empty_list)
205 ANY IN baciichfaf.trassae95.com. 97.818403 iterator wait for
(empty_list)
206 ANY IN bcdhcbhdhd.trassae95.com. 36.057696 iterator wait for
(empty_list)
207 ANY IN bdfjccbfid.trassae95.com. 83.410361 iterator wait for
(empty_list)
208 ANY IN beigaechai.trassae95.com. 39.789720 iterator wait for
(empty_list)
209 ANY IN bfjdaegcbh.trassae95.com. 70.373285 iterator wait for
(empty_list)
210 ANY IN bggjedjgaj.trassae95.com. 83.499413 iterator wait for
(empty_list)
211 ANY IN bhjefajcfh.trassae95.com. 59.355704 iterator wait for
(empty_list)
212 ANY IN caggfacejc.trassae95.com. 12.913211 iterator wait for
85.87.67.158
213 ANY IN cccefhebda.trassae95.com. 87.274155 iterator wait for
(empty_list)
214 ANY IN chcaicdbch.trassae95.com. 31.757918 iterator wait for
(empty_list)
215 ANY IN cibddgcfcf.kizilyagoda.com. 3.366306 iterator wait for
41.140.225.74
216 ANY IN cibhijiebi.trassae95.com. 24.905496 iterator wait for
(empty_list)
217 ANY IN ciejfeggcb.trassae95.com. 97.829665 iterator wait for
(empty_list)
218 ANY IN cjecdegihh.trassae95.com. 80.917676 iterator wait for
(empty_list)
219 ANY IN cjfecbjaic.kizilyagoda.com. 5.613406 iterator wait for
121.94.2.105
221 ANY IN dbbgceigfd.trassae95.com. 19.365606 iterator wait for
(empty_list)
222 ANY IN ddhehjafii.trassae95.com. 10.641170 iterator wait for
85.87.67.158
223 ANY IN decachgfhe.trassae95.com. 26.143278 iterator wait for
(empty_list)
224 ANY IN dhjcjijcgd.trassae95.com. 41.855551 iterator wait for
(empty_list)
225 ANY IN diifjhdiff.trassae95.com. 86.451828 iterator wait for
(empty_list)
226 ANY IN djefjhaadc.trassae95.com. 35.928452 iterator wait for
(empty_list)
227 ANY IN ecfdabgfea.trassae95.com. 105.531254 iterator wait for
(empty_list)
Could this (with enough zombies) explain a sudden rise in
waiting/dropped requests? Is there anything I can do to protect unbound
against this?
Kind regards,
Felix
--
Felix Schüren
Head of Network
-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus
den dt. Mobilfunknetzen
More information about the Unbound-users
mailing list