named outbond flood
Posted: 2014/03/29 00:40:25
Hi,
Have anyone had a lot udp outbond flood ?
Flood traffic comes from named daemon, internal network asked a random domain resolve like this :
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'sokmsmygoig.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vxedbsraw.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ksmlnqvek.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kripgnwxkpen.www.55sf.com/A/IN': 190.115.23.90#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'jqrod.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gtup.liebiao.800fy.com/A/IN': 42.120.248.232#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'mzcpklslupspab.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'svgdexetolwb.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'iuunznsyi.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'etytkbwbmhghqj.d2.xrsgt.com/A/IN': 182.140.167.166#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'apcxavwdglqfcxad.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nopdesthvwxym.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'srshmtohavwvinst.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'pwp.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vfqytttbanzhmdz.d2.xrsgt.com/A/IN': 122.225.217.192#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxyxivupajqxqj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gnkrehslabwjml.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkc.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 111.68.31.194#46501: query: csosbifsz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wrwnozidizahwtkv.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'zxf.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: client 49.128.180.66#51736: query: hhqjgmcgwdmqzrc.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'agzkxjbqkfx.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kbihw.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkvtorzjjdbmxjh.www.55sf.com/A/IN': 14.17.65.214#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.197#54280: query: aopdrsguvjkyz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nph.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'askmx.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'hrrsgvuqe.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxatgxorkfmbwd.www.55sf.com/A/IN': 115.29.179.112#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qbijkpkhgdurmh.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxlmrgohglsjakv.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'cwlpcsh.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ydobrdwiyvc.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qzwdanidgryj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'eojwyyo.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.70#42687: query: ixmjh.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg rsyslogd-2177: imuxsock begins to drop messages from pid 1416 due to rate-limiting
How we can block or limit this ?
Look forward for everyone's suggestion.
Thanks.
Have anyone had a lot udp outbond flood ?
Flood traffic comes from named daemon, internal network asked a random domain resolve like this :
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'sokmsmygoig.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vxedbsraw.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ksmlnqvek.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kripgnwxkpen.www.55sf.com/A/IN': 190.115.23.90#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'jqrod.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gtup.liebiao.800fy.com/A/IN': 42.120.248.232#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'mzcpklslupspab.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'svgdexetolwb.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'iuunznsyi.www.55sf.com/A/IN': 115.29.162.32#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'etytkbwbmhghqj.d2.xrsgt.com/A/IN': 182.140.167.166#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'apcxavwdglqfcxad.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nopdesthvwxym.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'srshmtohavwvinst.www.55sf.com/A/IN': 190.115.23.89#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'pwp.www.55sf.com/A/IN': 23.234.40.147#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'vfqytttbanzhmdz.d2.xrsgt.com/A/IN': 122.225.217.192#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxyxivupajqxqj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'gnkrehslabwjml.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkc.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 111.68.31.194#46501: query: csosbifsz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wrwnozidizahwtkv.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'zxf.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: client 49.128.180.66#51736: query: hhqjgmcgwdmqzrc.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'agzkxjbqkfx.www.55sf.com/A/IN': 190.115.23.88#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'kbihw.www.55sf.com/A/IN': 109.163.232.117#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'wkvtorzjjdbmxjh.www.55sf.com/A/IN': 14.17.65.214#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.197#54280: query: aopdrsguvjkyz.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'nph.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'askmx.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'hrrsgvuqe.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxatgxorkfmbwd.www.55sf.com/A/IN': 115.29.179.112#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qbijkpkhgdurmh.www.55sf.com/A/IN': 115.28.194.4#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qxlmrgohglsjakv.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'cwlpcsh.www.55sf.com/A/IN': 23.234.40.148#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'ydobrdwiyvc.www.55sf.com/A/IN': 203.195.191.43#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'qzwdanidgryj.www.55sf.com/A/IN': 190.115.23.91#53
Mar 29 07:39:55 ns1smg named[1416]: error (operation canceled) resolving 'eojwyyo.www.55sf.com/A/IN': 222.163.192.171#53
Mar 29 07:39:55 ns1smg named[1416]: client 119.2.53.70#42687: query: ixmjh.www.55sf.com IN A + (103.247.122.202)
Mar 29 07:39:55 ns1smg rsyslogd-2177: imuxsock begins to drop messages from pid 1416 due to rate-limiting
How we can block or limit this ?
Look forward for everyone's suggestion.
Thanks.