Hetzner DNS amplification attack

Dear Sir or Madam,

We have received spam/abuse notification. Please take the necessary
steps to prevent this from happening again in future.

Furthermore, we would request that you provide both ourselves and the
person who has submitted this complaint with a short statement within
24 hours. This statement should include details of the events leading
up to the incident and the steps you are taking to deal with it.

Next steps:
- Solve the problem
- Send your statement to us: Please use the following link for this: http://abuse.hetzner.de/statements/?token=XXXXXXXXXXXXX
- Send your statement to the person making the complaint per email

The details will then be checked by a colleague, who will coordinate
further proceedings. In the event of several complaints, this may
lead to the server being locked.

Important information:
When replying to us, please leave the Abuse ID [AbuseID:0B4B9D:15] in
the subject line unchanged.


Kind regards,

Sandra Betz

Hetzner Online AG
Stuttgarter Straße 1
91710 Gunzenhausen
Tel: + 49 (0)9831 610061
Fax: + 49 (0)9831 61006-2
abuse@hetzner.de
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 3204
Management Board: Dipl. Ing. (FH) Martin Hetzner
Chairwoman of the Supervisory Board: Diana Rothhan

----- attachment -----

Dear Sir or Madam,

We have been informed by two external reliable sources that IP addresses
from your network range have been involved as open resolvers in two DDoS
attacks (DNS Reflection) over the past few weeks.

Please see the attachment to this message for the IP addresses of the
open DNS servers in your network range.

The IP addresses specified sent the response packets to the target IPs
93.198.233.135 or rather 95.143.82.27.

We have examined the circumstances on a random basis and we have been
able to verify them.

Would you please check the situation carefully and, if possible, take
appropriate counter-measures. Further information regarding this can be
found in the BSI publications "Secure Provisioning of DSN Services" [1]
and "Increase in DDoS attacks by DNS Reflection" [2].

[1] https://www.allianz-fuer-cybersicher...BSI-CS-055.pdf
[2] https://www.allianz-fuer-cybersicher...BSI-CS_042.pdf

The BSI (German Federal Office for Information Security) is not in the
position to examine all information on incidents of this kind in detail.
Therefore, no responsibility can be assumed for the accuracy of the
information made known to us.

The sharing of this information with you concludes our involvement in
this process. However, we would be grateful for feedback on measures
taken.

Disclaimer:
The disclosure of this data to you has been made to warn you against
malicious software according to § 7 Abs. 1 of the Federal Office for
Information Security Act (BSI Act). As the party affected by the
consequences of malware, the disclosure of information not constituting
personal data for the BSI (here Account Name) to you is hereafter permissible.

Kind regards
Team CERT-Bund

----- log file -----

Affected IP: XX.XX.XX.XX



Yukarıdaki mesajı gönderdiler tam olarak ne anlama geliyor.

Sunucu cpanel ise named.conf a aşağıdaki satırları ekleyebilirsiniz, sizin sunucunuz üzerinden kendi sunucunuz harici farklı sunucuların dns sorgusu yaptırmasını engelleyebilirsiniz ekstra olarak /etc/resolv.conf daki dnslerinizi kontrol etmenizi öneririm, güvenli olmayan bir dns kullanıyor olabilirsiniz, google dns kullanabilirsiniz.