<div dir="ltr">See below <div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 6, 2014 at 3:34 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, 2014-10-06 at 12:03 -0400, Chuck Payne wrote:<br>
<br>
<br>
> Guys,<br>
><br>
><br>
> I am under attack where my dns server is being used to do a ddos<br>
> attack. I believe it's a bot net, because the ip are too random. I<br>
> don't think the domain I am seeing in my bind log is real<br>
<br>
> fkfkfkfz.guru<br>
<br>
> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:<br>
> fkfkfkfz.guru IN ANY +E (50.192.59.225)<br>
> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)<br>
> 'fkfkfkfz.guru/ANY/IN' denied<br>
<br>
Ok... It looks like the request was denied. What's the problem?<br>
<br>
It looks like someone was attempting to use your server in a DNS<br>
reflection attack. That's a resource amplification attack where they<br>
send you a small request "IN ANY for fkfkfkfz.guru" for which a huge<br>
response will be delivered and cached by your name server and returned<br>
back to the (spoofed) client. The fact that it's a recursive "query"<br>
and not a response is a dead give away that YOU are not under attack but<br>
these fools are trying to use you as a tool to attack others. The query<br>
packets may be frequent but they are very small.<br>
<br></blockquote><div><br></div><div>I was until I turn off queries, you try to look up </div><div><br></div><div><a href="http://www.magidesign.com">www.magidesign.com</a> </div><div><br></div><div>You can't get an answer, because the DNS server that is suppose to give the answer is turned off. That my main problem, I need to have my primary server on so that it can answer the world. </div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED<br>
> response to MailScanner warning: numerical links are often malicious:<br>
> <a href="http://92.222.9.0/24" target="_blank">92.222.9.0/24</a><br>
<br>
><br>
> I have turn on recursion, but now people can't find my domains any<br>
> more.<br>
<br>
This is exactly what you do NOT want to do. That opens up a window<br>
where they can exploit your name server to attack others!<br></blockquote><div><br></div><div>So how to I get it where people find me, without paying netsol or go daddy. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
> I have also try to limit the rate as well<br>
<br>
Which will have no impact on the rate of the incoming packets. The<br>
refusal to recurse is sufficient and turning on recursion will open you<br>
up to more traffic as scanners (and these could have been scanners)<br>
detect that you can recurse for them and they can exploit you.<br>
<br>
1) Do NOT use the same name server for your recursive caching name<br>
servers as your authoritative name servers! Yes, you can, but it's a<br>
very bad practice for this very reason.<br>
<br>
2) Do NOT allow recursion on your authoritative name servers! They<br>
serve up your zones to others, they don't need to look up other zones<br>
for others.<br>
<br>
3) Do NOT allow external access to your recursive name servers! Your<br>
recursive name servers are there to server your internal systems (and<br>
should be behind your firewall) and NOT to serve requests for external<br>
systems.<br>
<br>
> rate-limit {<br>
> responses-per-second 25;<br>
> window 5;<br>
> };<br>
<br>
Useless. Has no effect on the rate the packets are received at and you<br>
(were) rejecting the queries. You really can do no better unless you<br>
have BGP flood mitigation facilities in places and I don't think you're<br>
operating on that level.<br>
><br>
><br>
> I am running Debian and openSUSE.<br>
><br>
><br>
> Anything I can do to stop them and make where people can find my<br>
> domains? I don't want to have to pay for something I can do and have<br>
> control over.<br>
<br>
Yeah, separate your recursive caching name services from your<br>
non-recursive authoritative services.<br>
<br>
You can do this internally behind a NAT device on a single IP by using<br>
keeping your recursive cachers on a private address behind your NAT<br>
(they'll NAT over to the external name servers) and only allowing your<br>
authoritative name server on your public NAT. Or, better, use a free<br>
service like Hurricane Electric for your authoritative name servers (if<br>
you're on a single IP and that's your only nameserver - you're a fool -<br>
best practices dictate a minimum of 3 on diverse networks). I have no<br>
less than 8 authoritative name servers for WittsEnd.com (that are<br>
publicly available) 5 of which are the (free) ns?.<a href="http://he.net" target="_blank">he.net</a> name servers<br>
which slave off of <a href="http://ns1.wittsend.com" target="_blank">ns1.wittsend.com</a> and <a href="http://ns2.wittsend.com" target="_blank">ns2.wittsend.com</a> (neither of<br>
which are the "masters" and the true masters are NOT reachable from the<br>
Internet).<br>
<br>
I've written a number of articles and done presentations on this subject<br>
over the years. You might want to review the following...<br>
<br>
<a href="http://www.wittsend.com/mhw/2011/RobustDNS.odt" target="_blank">http://www.wittsend.com/mhw/2011/RobustDNS.odt</a><br>
<a href="http://www.wittsend.com/mhw/2011/RobustDNS.odp" target="_blank">http://www.wittsend.com/mhw/2011/RobustDNS.odp</a></blockquote><div><br></div><div><br></div><div>I will take a look. Thanks. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
> --<br>
> Terror PUP a.k.a<br>
> Chuck "PUP" Payne<br>
><br>
> <a href="tel:678%20636%209678" value="+16786369678">678 636 9678</a><br>
<br>
Regards,<br>
Mike<br>
<span class="HOEnZb"><font color="#888888">--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>
</font></span><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Terror PUP a.k.a<br>Chuck "PUP" Payne<br> <br>678 636 9678<br>-----------------------------------------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>-----------------------------------------<br>openSUSE -- Terrorpup<br>openSUSE Ambassador/openSUSE Member<br>skype,twiiter,identica,friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br> <br>Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.<br><br></div>
</div></div>