It looks like today is “Attack Day.” I run a program to show the output from syslog in real time (it's part of my syslogintr [1] project) and (like right as I type this) I'm seeing a slew of bogus DNS (Domain Name Service) queries:
>
```
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
security: info: client 46.234.117.251#25345: query (cache) 'isc.org/ANY/IN' denied
```
And not just from that IP (Internet Protocol) address either—so far 87 different IPs have been sending bogus requests to my DNS server. I would also like to find the program that does this, as every single request has come from the same port. Different IP address, sure, but the source port is always the same.
I'm also seriously tempted to write a program to send back a nice, custom response to these, in the hopes that the program actually cares about the response. The obvious thing to do is send back a response that contains an infinitely long domain name—it's not hard to do, just the right two bytes in the right location and you have an infinitely long name to parse (this is exploiting the DNS message compression scheme—spcdns [2] has code to protect against this, by the way). Or maybe not an infinitely long domain name, but an insanely long one (again, easy to do by exploiting the message compression scheme, and again, spcdns has protection against this attack as well).
Perhaps better would be to return an answer to a question that was never asked to begin with. “Oh, you want any record for isc.org? Here, have the LOC (Location) record for nsa.gov. Have a nice day.” Or perhaps just echo back the original packet and really confuse the sending program.
But in doing some searching, this appears to be an old denial of service attack against Internet Systems Consortium [3] (the makers of bind [4], quite possibly the most widely used DNS server) and as such, any bogus reponses would probably not do anything to the attacking software, which probably ignores any replies anyway.
Good thing I didn't send back any custom responses [5] …
[1] https://github.com/spc476/syslogintr
[2] https://github.com/spc476/SPCDNS