[outages] EasyDNS issues?

Lyle Giese lyle at lcrcomputer.net
Sat Oct 27 10:05:13 EDT 2012 

On 10/27/12 08:43, Jeremy Chadwick wrote:
> I know EasyDNS is anycasted, so some of this troubleshooting work
> doesn't narrow things down, but something is indeed going on.
>
> Issue started roughly 2012/10/27 at 06:25 Pacific.
>
> I'm guessing a DoS attack but that's speculative.
>
>
> $ dig ns dslreports.com.
>
> ;; QUESTION SECTION:
> ;dslreports.com.                        IN      NS
>
> ;; ANSWER SECTION:
> dslreports.com.         1200    IN      NS      dns3.easydns.org.
> dslreports.com.         1200    IN      NS      dns2.easydns.net.
> dslreports.com.         1200    IN      NS      dns1.easydns.com.
>
> ;; ADDITIONAL SECTION:
> dns1.easydns.com.       7321    IN      A       64.68.192.210
> dns1.easydns.com.       172734  IN      AAAA    2001:1838:f001::10
> dns2.easydns.net.       157640  IN      A       72.52.2.1
> dns3.easydns.org.       468     IN      A       64.68.195.10
> dns3.easydns.org.       72510   IN      AAAA    2620:49:a::10
>
>
> $ dig @ns1.easydns.com a www.dslreports.com.
>
> ;; connection timed out; no servers could be reached
>
> $ host ns1.easydns.com
> ns1.easydns.com has address 64.68.192.210
>
>
> $ dig @dns2.easydns.net a www.dslreports.com.
>
> ;; QUESTION SECTION:
> ;www.dslreports.com.            IN      A
>
> ;; ANSWER SECTION:
> www.dslreports.com.     1200    IN      A       209.123.109.175
>
> $ host dns2.easydns.net
> dns2.easydns.net has address 72.52.2.1
>
>
> $ dig @dns3.easydns.org a www.dslreports.com.
>
> ; <<>> DiG 9.8.3-P4 <<>> @dns3.easydns.org a www.dslreports.com.
> ; (2 servers found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> $ host dns3.easydns.org
> dns3.easydns.org has address 64.68.195.10
> dns3.easydns.org has IPv6 address 2620:49:a::10
>
> $ mtr 64.68.192.210
>                                                    Packets               Pings
>   Host                                           Loss%   Snt   Rcv  Last   Avg  Best  Wrst
>   1. gw.home.lan                                  0.0%    18    18   0.3   0.3   0.3   0.4
>   2. c-67-180-84-1.hsd1.ca.comcast.net            0.0%    18    18  25.4  24.4  12.7  31.2
>   3. te-0-0-0-12-ur05.santaclara.ca.sfba.comcast  0.0%    18    18  10.8  10.6   8.8  25.5
>   4. te-1-1-0-2-ar01.sfsutro.ca.sfba.comcast.net  0.0%    17    17  21.4  16.7  12.7  22.3
>   5. he-1-7-0-0-cr01.sanjose.ca.ibone.comcast.ne  0.0%    17    17  23.8  19.9  13.9  24.7
>   6. pos-0-12-0-0-cr01.denver.co.ibone.comcast.n  0.0%    17    17  53.9  56.0  53.7  57.7
>   7. 68.86.89.41                                  0.0%    17    17  88.5  84.0  78.2  90.8
>   8. be-10-pe03.350ecermak.il.ibone.comcast.net   0.0%    17    17  80.2  80.2  77.8  93.7
>   9. 173.167.57.126                               0.0%    17    17  82.4  80.7  79.1  84.0
> 10. ae1-50g.cr2.ord1.us.nlayer.net               0.0%    17    17  79.5  80.7  77.8 112.0
> 11. as23352.ae6-102.cr2.ord1.us.nlayer.net       0.0%    17    17  78.6  79.3  77.9  81.8
> 12. 44.po1.ar2.ord1.us.scnet.net                 0.0%    17    17  84.1  82.6  77.8 121.6
> 13. ge0-50.aggr4302.ord2.us.scnet.net           68.8%    17     5  80.7  80.5  79.5  81.6
> 14. dns1.easydns.com                            76.5%    17     4  77.8  78.6  77.8  79.7
>
>
> $ mtr 64.68.195.10
>
>                                                    Packets               Pings
>   Host                                           Loss%   Snt   Rcv  Last   Avg  Best  Wrst
>   1. gw.home.lan                                  0.0%    22    22   0.3   0.3   0.2   0.4
>   2. c-67-180-84-1.hsd1.ca.comcast.net            0.0%    22    22  27.7  23.0  11.4  40.6
>   3. te-0-0-0-12-ur05.santaclara.ca.sfba.comcast  0.0%    22    22   9.4   9.9   8.5  10.7
>   4. 69.139.198.174                               0.0%    22    22  15.4  16.6  11.5  22.6
>   5. he-1-8-0-0-cr01.sanjose.ca.ibone.comcast.ne  0.0%    22    22  22.4  19.5  13.1  39.1
>   6. pos-0-3-0-0-pe01.11greatoaks.ca.ibone.comca  0.0%    22    22  16.2  17.8  15.0  20.1
>   7. 208.178.58.13                                0.0%    22    22  23.2  19.7  14.2  27.5
>   8. ae9-40G.scr4.SNV2.gblx.net                   4.5%    22    21  28.7  26.0  15.8  64.1
>   9. po3-20G.ar5.DCA3.gblx.net                    0.0%    21    21  82.2  87.4  81.5 150.8
> 10. packet-clearing-house.gigabitethernet9-3.ar 47.6%    21    11  89.5  91.1  89.1  99.3
> 11. 64.68.195.10                                95.0%    21     1 261.8 261.8 261.8 261.8
>
 From my DNS server logs, they are the subject of a DNS amplification 
attack.

Oct 27 08:54:02 linux named[18188]: limit REFUSED responses to 72.52.2.0/24
Oct 27 08:55:07 linux named[18188]: stop limiting error responses to 
72.52.2.0/24
Oct 27 08:56:02 linux named[18188]: limit REFUSED responses to 72.52.2.0/24
Oct 27 08:57:02 linux named[18188]: stop limiting error responses to 
72.52.2.0/24
Oct 27 08:58:02 linux named[18188]: limit REFUSED responses to 72.52.2.0/24
Oct 27 08:59:02 linux named[18188]: stop limiting error responses to 
72.52.2.0/24
Oct 27 09:00:02 linux named[18188]: limit REFUSED responses to 72.52.2.0/24

Timestamps are CDT.  My DNS servers have been an 'innocent victim' for 
about three weeks now and I installed the rate limit patches this 
morning to bind 9.8.4 from http://www.redbarn.org/ratelimits

Lyle Giese
LCR Computer Services, Inc.

More information about the Outages mailing list