/var/log/messages question

[santrix]

Hi, I'm getting a pile of this :

Feb 18 09:06:35 vps named[19529]: client 62.109.4.89#658: view external: error sending response: host unreachable
Feb 18 09:10:25 vps named[19529]: client 62.109.4.89#290: view external: error sending response: host unreachable
Feb 18 09:11:27 vps named[19529]: client 62.109.4.89#442: view external: error sending response: host unreachable
Feb 18 09:13:29 vps named[19529]: client 62.109.4.89#696: view external: error sending response: host unreachable
Feb 18 09:13:33 vps named[19529]: client 62.109.4.89#463: view external: error sending response: host unreachable

I'm stil learning how to read this log... can someone interpret what these messages mean? It looks to me like that IP address is trying to contact the named service, but when named tries to respond, the host is unreachable? Is that correct?

Could this be due to APF firewall blocking? I thought APF was stateful, so it should allow the return connection through?

Thanks

[securitybreach01]

do you have an email server installed on the machine? that might be trying to send mail and its not going through. just a guess.

[asdlkf]

There appears to currently be an attack going arround, but your server is correctly denying it.

62.109.4.89 has been spamming my DNS server. Once I blocked it using IP tables, it continued to try to access my server 10 times, with 5 seconds between each (see 17:36:47 below - last attack). 45 seconds later, it failed it's 10th time. 2 seconds after that, i started getting hits from 195.68.176.4 which leads me to belive that they are a coordinated bot-net or a few compromized hosts.

Well, after blocking:

62.109.4.89, and 195.68.176.4, inbound, protocol UDP, my logs have stopped filling.

So far so good.

Commands I issued:

sudo iptables -A INPUT --source 62.109.4.89 -p UDP -j DROP
sudo iptables -A INPUT --source 195.68.176.4 -p UDP -j DROP




My log output:

Feb 19 17:36:31 asdlkf named[12647]: client 62.109.4.89#26048: query (cache) './NS/IN' denied
Feb 19 17:36:33 asdlkf named[12647]: client 62.109.4.89#44366: query (cache) './NS/IN' denied
Feb 19 17:36:33 asdlkf named[12647]: client 62.109.4.89#27759: query (cache) './NS/IN' denied
Feb 19 17:36:35 asdlkf named[12647]: client 62.109.4.89#53520: query (cache) './NS/IN' denied
Feb 19 17:36:36 asdlkf named[12647]: client 62.109.4.89#59695: query (cache) './NS/IN' denied
Feb 19 17:36:37 asdlkf named[12647]: client 62.109.4.89#23130: query (cache) './NS/IN' denied
Feb 19 17:36:40 asdlkf named[12647]: client 62.109.4.89#48491: query (cache) './NS/IN' denied
Feb 19 17:36:40 asdlkf named[12647]: client 62.109.4.89#10510: query (cache) './NS/IN' denied
Feb 19 17:36:41 asdlkf named[12647]: client 62.109.4.89#20783: query (cache) './NS/IN' denied
Feb 19 17:36:43 asdlkf named[12647]: client 62.109.4.89#1683: query (cache) './NS/IN' denied
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#36861: query (cache) './NS/IN' denied
Feb 19 17:36:46 asdlkf named[12647]: client 62.109.4.89#46596: query (cache) './NS/IN' denied
Feb 19 17:36:47 asdlkf named[12647]: client 62.109.4.89#16273: query (cache) './NS/IN' denied
Feb 19 17:37:34 asdlkf named[12647]: client 195.68.176.4#27299: query (cache) './NS/IN' denied
Feb 19 17:38:36 asdlkf named[12647]: client 195.68.176.4#31869: query (cache) './NS/IN' denied
Feb 19 17:39:39 asdlkf named[12647]: client 195.68.176.4#22828: query (cache) './NS/IN' denied
Feb 19 17:40:41 asdlkf named[12647]: client 195.68.176.4#40935: query (cache) './NS/IN' denied
Feb 19 17:41:44 asdlkf named[12647]: client 195.68.176.4#17454: query (cache) './NS/IN' denied
Feb 19 17:42:47 asdlkf named[12647]: client 195.68.176.4#3743: query (cache) './NS/IN' denied
Feb 19 17:43:49 asdlkf named[12647]: client 195.68.176.4#16822: query (cache) './NS/IN' denied
Feb 19 17:44:52 asdlkf named[12647]: client 195.68.176.4#12854: query (cache) './NS/IN' denied
Feb 19 17:45:55 asdlkf named[12647]: client 195.68.176.4#21735: query (cache) './NS/IN' denied
Feb 19 17:46:57 asdlkf named[12647]: client 195.68.176.4#41785: query (cache) './NS/IN' denied
Feb 19 17:48:00 asdlkf named[12647]: client 195.68.176.4#44439: query (cache) './NS/IN' denied
Feb 19 17:49:02 asdlkf named[12647]: client 195.68.176.4#48516: query (cache) './NS/IN' denied
Feb 19 17:50:05 asdlkf named[12647]: client 195.68.176.4#56097: query (cache) './NS/IN' denied
Feb 19 17:51:08 asdlkf named[12647]: client 195.68.176.4#19675: query (cache) './NS/IN' denied
<after 17:51:09 when I entered the 2nd IP tables command, no further related messages>

[sincapabi]

62.109.4.89 has been attaacking my DNS server, too. and I blocked it

Feb 20 08:05:40 zxcasd named[3512]: client 62.109.4.89#183: view external: error sending response: host unreachable
Feb 20 08:05:42 zxcasd named[3512]: client 62.109.4.89#628: view external: error sending response: host unreachable
Feb 20 08:05:47 zxcasd named[3512]: client 62.109.4.89#106: view external: error sending response: host unreachable
Feb 20 08:06:08 zxcasd named[3512]: client 195.68.176.4#943: view external: error sending response: host unreachable

[whit]

62.109.4.89 has been attaacking my DNS server, too. and I blocked it

Same damn IP has been attacking two of my servers today, which sit in different towns on different networks. Dropping them at the firewall, but the counter shows they persist anyway. WTF is this Russian doing, with what sort of resources to attack so broadly?

[HROAdmin26]

Have you considered that the source IP is forged?

Meaning that either A) the sender doesn't care about getting the response or B) the point of this is a reflection attack where all DNS servers that respond send data to the target address. This may be why the address *can't be reached* - its bandwidth is flooded.