Unbound vs fast flux botnets?

Felix_Schueren · August 31, 2010, 8:47am

I'm curious as to whether this is a DoS scenario for unbound:

looking at my requestlist, I see:

~# unbound-control dump_requestlist | egrep
'(trassae95.com|kizilyagoda.com)'
14 AAAA IN ns1.trassae95.com. - iterator wait for (empty_list)
19 AAAA IN ns1.kizilyagoda.com. - iterator wait for (empty_list)
30 AAAA IN ns2.trassae95.com. - iterator wait for 200.65.141.192
37 AAAA IN ns2.kizilyagoda.com. - iterator wait for 201.172.22.103
44 AAAA IN ns3.trassae95.com. - iterator wait for (empty_list)
46 AAAA IN ns3.kizilyagoda.com. - iterator wait for (empty_list)
50 AAAA IN ns4.trassae95.com. - iterator wait for (empty_list)
52 AAAA IN ns4.kizilyagoda.com. - iterator wait for (empty_list)
102 A IN bihjgiajc.kizilyagoda.com. 24.987797 iterator wait for
(empty_list)
105 A IN bcdbciidgb.kizilyagoda.com. 5.753630 iterator wait for
121.94.2.105
106 A IN bigggjhdaj.kizilyagoda.com. 36.242830 iterator wait for
(empty_list)
107 A IN cefbhcbfej.kizilyagoda.com. 18.705449 iterator wait for
(empty_list)
108 A IN cibdhgghee.trassae95.com. 46.999489 iterator wait for
(empty_list)
153 MX IN bidfgcgcb.trassae95.com. 43.033308 iterator wait for
(empty_list)
154 MX IN eijcecafg.kizilyagoda.com. 14.677905 iterator wait for
(empty_list)
156 MX IN jiheheceb.kizilyagoda.com. 23.593555 iterator wait for
(empty_list)
159 MX IN bafcebjjfd.trassae95.com. 56.225519 iterator wait for
(empty_list)
160 MX IN bbjbhegbdd.trassae95.com. 6.782797 iterator wait for
201.173.217.27
161 MX IN beehifddij.trassae95.com. 32.657037 iterator wait for
(empty_list)
163 MX IN chgeecgjei.trassae95.com. 42.891975 iterator wait for
(empty_list)
164 MX IN chggafffeg.trassae95.com. 57.039805 iterator wait for
(empty_list)
165 MX IN cibdhgghee.trassae95.com. 29.959160 iterator wait for
(empty_list)
166 MX IN cjcfdgahdd.kizilyagoda.com. 42.532783 iterator wait for
(empty_list)
167 MX IN dbibddegca.kizilyagoda.com. 24.534594 iterator wait for
(empty_list)
168 MX IN ddidejiidj.trassae95.com. 17.606406 iterator wait for
(empty_list)
169 MX IN dhcfgjahdg.trassae95.com. 14.205446 iterator wait for
(empty_list)
210 AAAA IN dbjajadij.kizilyagoda.com. 18.589665 iterator wait for
(empty_list)
211 AAAA IN effjgciba.kizilyagoda.com. 10.629990 iterator wait for
201.172.22.103
212 AAAA IN bcdbciidgb.kizilyagoda.com. 23.751077 iterator wait for
(empty_list)
213 AAAA IN bcjgdedhgf.kizilyagoda.com. 49.471699 iterator wait for
(empty_list)
227 ANY IN daebjfbif.trassae95.com. 37.545012 iterator wait for
(empty_list)
228 ANY IN fggjjijag.trassae95.com. 1.158926 iterator wait for 76.17.135.60
229 ANY IN hehfbadjf.trassae95.com. 58.035129 iterator wait for
(empty_list)
230 ANY IN jjfhbaadd.trassae95.com. 16.369137 iterator wait for
(empty_list)
231 ANY IN dbcigchgee.kizilyagoda.com. 26.548473 iterator wait for
(empty_list)
232 ANY IN deeehjifcg.trassae95.com. 56.486064 iterator wait for
(empty_list)
233 ANY IN djdijbiabc.trassae95.com. 13.935859 iterator wait for
(empty_list)
234 ANY IN ebhdhfbijh.kizilyagoda.com. 30.264298 iterator wait for
(empty_list)
235 ANY IN ecciiidfib.trassae95.com. 47.413911 iterator wait for
(empty_list)
236 ANY IN ecgbhaabic.trassae95.com. 8.157523 iterator wait for
200.65.141.192

looking at actual traffic shows:

10:40:49.888111 IP a.b.c.d.60389 > 121.94.2.105.53: 64660 MX?
eccjahaace.kizilyagoda.com. (44)
10:40:49.889058 IP a.b.c.d.39768 > 201.172.22.103.53: 46921 AAAA?
beafbbggag.kizilyagoda.com. (44)
10:40:49.938592 IP a.b.c.d.12451 > 201.172.22.103.53: 38084 MX?
bcahcieedg.kizilyagoda.com. (44)
10:40:50.076585 IP e.f.g.h.33264 > n.s.n.s.53: 10782+ MX?
eccjahaace.kizilyagoda.com. (44)
10:40:50.076743 IP a.b.c.d.4904 > 121.94.2.105.53: 48147 MX?
eccjahaace.kizilyagoda.com. (44)
10:40:50.091747 IP a.b.c.d.34322 > 41.140.225.74.53: 33096 ANY?
cbgdhefegh.kizilyagoda.com. (44)
10:40:50.145489 IP a.b.c.d.16663 > 200.65.141.192.53: 2701% AAAA?
ns2.trassae95.com. (35)
10:40:50.146577 IP a.b.c.d.28988 > 41.140.225.74.53: 31688 ANY?
dahgabajea.kizilyagoda.com. (44)
10:40:50.152974 IP a.b.c.d.38972 > 97.93.83.32.53: 39798% AAAA?
ns2.kizilyagoda.com. (37)
10:40:50.191253 IP a.b.c.d.41846 > 201.172.22.103.53: 33606 MX?
ceehjahebd.kizilyagoda.com. (44)
10:40:50.199559 IP a.b.c.d.21348 > 41.140.225.74.53: 16574 MX?
jgbiehbdf.kizilyagoda.com. (43)
10:40:50.223359 IP a.b.c.d.52152 > 201.172.22.103.53: 52049 A?
djjbafbifh.kizilyagoda.com. (44)
10:40:50.290392 IP a.b.c.d.63374 > 41.140.225.74.53: 3752 MX?
daefiegdi.kizilyagoda.com. (43)
10:40:50.313030 IP a.b.c.d.30161 > 121.94.2.105.53: 56993 AAAA?
daefiegdi.kizilyagoda.com. (43)
10:40:50.319424 IP a.b.c.d.6357 > 121.94.2.105.53: 14855 A?
ehbdcdddh.kizilyagoda.com. (43)
10:40:50.381734 IP a.b.c.d.7965 > 200.65.141.192.53: 8121% AAAA?
ns2.trassae95.com. (35)
10:40:50.441657 IP a.b.c.d.46522 > 192.41.162.30.53: 33130% [1au] AAAA?
ns2.kizilyagoda.com. (48)
10:40:50.445861 IP a.b.c.d.61172 > 76.17.135.60.53: 29773 MX?
bdbdiaicag.trassae95.com. (42)

5 minutes later, my requestlist looks like this:

~# unbound-control dump_requestlist | egrep
'(trassae95.com|kizilyagoda.com)'
17 AAAA IN ns1.trassae95.com. - iterator wait for (empty_list)
31 AAAA IN ns2.trassae95.com. - iterator wait for 85.87.67.158
35 AAAA IN ns2.kizilyagoda.com. - iterator wait for 97.93.83.32
44 AAAA IN ns3.trassae95.com. - iterator wait for (empty_list)
52 AAAA IN ns4.trassae95.com. - iterator wait for (empty_list)
109 A IN chaiigdgij.kizilyagoda.com. 2.938054 iterator wait for
121.94.2.105
110 A IN dfgegjgheb.trassae95.com. 33.070671 iterator wait for
(empty_list)
121 NS IN trassae95.com. 29.149289 iterator wait for (empty_list)
142 MX IN daefiegdi.kizilyagoda.com. 1.451479 iterator wait for
121.94.2.105
143 MX IN eajheadji.trassae95.com. 56.069476 iterator wait for
(empty_list)
145 MX IN bfigbabiej.trassae95.com. 1.128736 iterator wait for
76.17.135.60
146 MX IN bicejjaaha.trassae95.com. 56.627532 iterator wait for
(empty_list)
148 MX IN cgfahaehff.trassae95.com. 28.788023 iterator wait for
(empty_list)
150 MX IN cgjghfbibg.kizilyagoda.com. 7.776240 iterator wait for
97.93.83.32
151 MX IN chifiabbga.trassae95.com. 74.762737 iterator wait for
(empty_list)
152 MX IN cibdhgghee.trassae95.com. 49.946996 iterator wait for
(empty_list)
153 MX IN ddcajcbbid.trassae95.com. 92.546959 iterator wait for
(empty_list)
155 MX IN djhhifdfdf.trassae95.com. 51.565734 iterator wait for
(empty_list)
171 AAAA IN ns2.trassae95.com. 171.901942 iterator wait for (empty_list)
172 AAAA IN ns2.kizilyagoda.com. 173.880025 iterator wait for 97.93.83.32
199 ANY IN bacfddaec.trassae95.com. 62.756320 iterator wait for
(empty_list)
200 ANY IN bidfgcgcb.trassae95.com. 20.974421 iterator wait for
(empty_list)
201 ANY IN fhhghbdgj.trassae95.com. 22.437517 iterator wait for
(empty_list)
202 ANY IN fidhefgef.trassae95.com. 81.784578 iterator wait for
(empty_list)
204 ANY IN iicghjjbh.trassae95.com. 80.217386 iterator wait for
(empty_list)
205 ANY IN baciichfaf.trassae95.com. 97.818403 iterator wait for
(empty_list)
206 ANY IN bcdhcbhdhd.trassae95.com. 36.057696 iterator wait for
(empty_list)
207 ANY IN bdfjccbfid.trassae95.com. 83.410361 iterator wait for
(empty_list)
208 ANY IN beigaechai.trassae95.com. 39.789720 iterator wait for
(empty_list)
209 ANY IN bfjdaegcbh.trassae95.com. 70.373285 iterator wait for
(empty_list)
210 ANY IN bggjedjgaj.trassae95.com. 83.499413 iterator wait for
(empty_list)
211 ANY IN bhjefajcfh.trassae95.com. 59.355704 iterator wait for
(empty_list)
212 ANY IN caggfacejc.trassae95.com. 12.913211 iterator wait for
85.87.67.158
213 ANY IN cccefhebda.trassae95.com. 87.274155 iterator wait for
(empty_list)
214 ANY IN chcaicdbch.trassae95.com. 31.757918 iterator wait for
(empty_list)
215 ANY IN cibddgcfcf.kizilyagoda.com. 3.366306 iterator wait for
41.140.225.74
216 ANY IN cibhijiebi.trassae95.com. 24.905496 iterator wait for
(empty_list)
217 ANY IN ciejfeggcb.trassae95.com. 97.829665 iterator wait for
(empty_list)
218 ANY IN cjecdegihh.trassae95.com. 80.917676 iterator wait for
(empty_list)
219 ANY IN cjfecbjaic.kizilyagoda.com. 5.613406 iterator wait for
121.94.2.105
221 ANY IN dbbgceigfd.trassae95.com. 19.365606 iterator wait for
(empty_list)
222 ANY IN ddhehjafii.trassae95.com. 10.641170 iterator wait for
85.87.67.158
223 ANY IN decachgfhe.trassae95.com. 26.143278 iterator wait for
(empty_list)
224 ANY IN dhjcjijcgd.trassae95.com. 41.855551 iterator wait for
(empty_list)
225 ANY IN diifjhdiff.trassae95.com. 86.451828 iterator wait for
(empty_list)
226 ANY IN djefjhaadc.trassae95.com. 35.928452 iterator wait for
(empty_list)
227 ANY IN ecfdabgfea.trassae95.com. 105.531254 iterator wait for
(empty_list)

Could this (with enough zombies) explain a sudden rise in
waiting/dropped requests? Is there anything I can do to protect unbound
against this?

Kind regards,

Felix

Donald_Eastlake_X_de · August 31, 2010, 12:04pm

Offhand this looks like a real Kaminsky attack in the field!

Donald

Florian_Weimer1 · August 31, 2010, 1:20pm

* Donald Eastlake:

Offhand this looks like a real Kaminsky attack in the field!

Such host names have been used in spam message since 2004 or 2005,
perhaps even as a similar cache evasion technique.

Wouter · September 6, 2010, 9:09am

Hi Felix,

I'm curious as to whether this is a DoS scenario for unbound:
227 ANY IN ecfdabgfea.trassae95.com. 105.531254 iterator wait for
(empty_list)

The empty_list output line is fixed in recent unbound releases, so if
you update the output of dump_requestlist is neater (and shows what it
is really doing: wait for name lookup).

Could this (with enough zombies) explain a sudden rise in
waiting/dropped requests? Is there anything I can do to protect unbound
against this?

Potentially, in recent release also a fix to protection against rise in
waiting/dropped requests is made. Then, new requests are favored and
old ones (older than 'jostle timeout', 200msec) are dropped to make
space for them. The stuff from your greps is then looked up when there
is leisure time. The jostle-timeout feature has been present for a long
time, and should work fine also in older versions (for this particular
rise in request load).

Best regards,
Wouter