Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: CSAM: ANY queries used in reflective DoS attack - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CSAM: ANY queries used in reflective DoS attack

Our reader Phillip sent in the following log excerpt:

15:53:34.329883 IP > 59.167.x.35.53: 9158+ [1au] ANY? (41)
15:53:34.331562 IP > 59.167.x.36.53: 9158+ [1au] ANY? (41)
15:53:34.331785 IP > 59.167.x.32.53: 9158+ [1au] ANY? (41)
15:53:34.332050 IP > 59.167.x.39.53: 9158+ [1au] ANY? (41)
15:58:56.288188 IP > 59.167.x.32.53: 17253+ [1au] A? (50)
15:59:23.345810 IP > 59.167.x.34.53: 28322+ [1au] A? (50)

There are a couple of indicators that these logs are "odd":

- ANY queries are unusual in normal DNS traffic. While they are valid, they are not often used in "normal" DNS traffic. But for DoS attacks, they provide large responses.
- the source port and the query ID doesn't change
- the speed of these queries is very fast.

The main "feature" of becomes obvious if you look at the size of the response:

$ dig ANY
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.5-P1 <<>> ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39771
;; flags: qr rd ra; QUERY: 1, ANSWER: 244, AUTHORITY: 1, ADDITIONAL: 1
;; ANSWER SECTION: 3589 IN SOA 2012292301 28800 86400 3600000 86400 1789 IN A 1789 IN A
... 1789 IN A 1789 IN A 1789 IN NS
;; Query time: 7 msec
;; WHEN: Tue Oct 08 17:09:00 EDT 2013
;; MSG SIZE  rcvd: 3992

I removed most of the "A" record responses. There are a total of 243 if I counted right. The response is 3992 bytes, almost 100 times the size of the query (41 bytes). You also see at the top how dig indicates that it had to fall back to TCP because the response was too large. Many modern resolvers don't require this, and use EDNS0 to allow larger responses, typically up to 4kBytes in size.

The domain appears to be set up just to act as a source of large DNS responses to be used in DoS attacks.

The second record no longer resolves. I can only assume that it was used similarly. The "ANY" query is not needed for a domain like with many A records. Just an A query will result in a huge answer.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Oct 8th 2013

Sign Up for Free or Log In to start participating in the conversation!