I have the same issue since some weeks.
The problem is that the customer does not understand the problem. So if Netgear has solved the problem in a new firmware the customer should update it, but does he knows how to do this???
What can you do to limit this stupid traffic: - rate limit the queries per customer (not really a good idea) - rate limit this special kind of queries. (that's the best way at the moment)
I haven't had the time to look into the packets to limit this queries. If they are all similiar you can set up a drop filter in the iptables like you should already have with the isc.org ANY requests. -> Problem not really solved but you should be happy with this :-)
the rule should be:
$IPTABLES -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery $IPTABLES -I INPUT -p udp --dport 53 -m string --from 47 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 600 --hitcount 3 -j DROP
but what's the hex string for this kind of query. anybody got it?
Freundliche Grüsse
sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrichter@sasag.ch 052 633 01 71
________________________________________ Von: swinog-bounces@lists.swinog.ch [swinog-bounces@lists.swinog.ch]" im Auftrag von "Benoit Panizzon [benoit.panizzon@imp.ch] Gesendet: Freitag, 24. Mai 2013 12:03 An: swinog@swinog.ch Betreff: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Heyo!
Any others who are being affected?
It looks like our customers Netgear routers (known ones: WNR3500Lv2, WNDR4500) are asking our DNS Server for the A record of: time-g.netgear.com or time- a.netgear.com
Instead of an A record reply, they get a CNAME as answer with additional information the A record of that CNAME. That is what netgear has published on their DNS Servers.
Those routers are not happy with that reply and just start sending several hundred requests per second for A time-g.netgear.com resulting in considerable load and traffic on our DNS caches. Some customers have already transfered 35GB of DNS traffic, only since today midnight.
I have contacted netgear technical support. The issue is yet unknown to them. They got my pcap files to analyze :-)
Any others observing that behaviour of netgear products? Any know remedies?
Mit freundlichen Grüssen
Benoit Panizzon -- I m p r o W a r e A G - ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog