You appear to be running an open recursive resolver at IP address —.—.—.— that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in “allow-query”; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in “allow-query” for the server overall but setting “allow-query” to “any” for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A
If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.
Example DNS responses from your resolver during this attack are given below.
Date/timestamps (far left) are UTC.
2016-05-19 00:46:15.470397 IP (tos 0x0, ttl 47, id 25832, offset 0, flags [+], proto UDP (17), length 1500) —.—.—.—.53 > 162.248.89.x.10001: 31740| 22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05dc 64e8 2000 2f11 94f3 59d4 15a1 E…d…/…Y…
0x0010: a2f8 59c8 0035 2711 1007 b301 7bfc 8380 ..Y..5’…{…
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f …cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 1b6a v…j
0x0040: 011c 0033 0702 0000 5460 5745 1614 573b …3…TWE..W; 0x0050: cd84 .. 2016-05-19 00:46:15.478525 IP (tos 0x0, ttl 47, id 25833, offset 0, flags [+], proto UDP (17), length 1500) ---.---.---.---.53 > 162.248.89.x.10001: 31740| 22/0/0 cpsc.gov. RRSIG[|domain] 0x0000: 4500 05dc 64e9 2000 2f11 94f2 59d4 15a1 E...d.../...Y... 0x0010: a2f8 59c8 0035 2711 1007 b27d 7bfc 8380 ..Y..5'....}{... 0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go 0x0030: 7600 00ff 0001 c00c 002e 0001 0000 1b6a v..............j 0x0040: 011c 0030 0702 0000 5460 5745 1614 573b ...0....TWE..W;
0x0050: cd84 ..
2016-05-19 00:46:15.486140 IP (tos 0x0, ttl 47, id 25834, offset 0, flags [+], proto UDP (17), length 1500) —.—.—.—.53 > 162.248.89.x.10001: 31740| 22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05dc 64ea 2000 2f11 94f1 59d4 15a1 E…d…/…Y…
0x0010: a2f8 59c8 0035 2711 1007 7239 7bfc 8380 ..Y..5’…r9{…
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f …cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 1b6a v…j
0x0040: 011c 0030 0702 0000 5460 5745 1614 573b …0…T`WE..W;
0x0050: cd84 ..
(The final octet of our customer’s IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is “200”.)