<div dir="ltr">Michael and Horkan, thank you I am blocking the attack on my servers, and people are able to find me again. <div><br></div><div>I want to thank the list as well. I don't think people get enough thank. I am very grateful. </div><div><br></div><div>PUP</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 6, 2014 at 5:13 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 2014-10-06 at 15:59 -0400, Horkan Smith wrote:<br>
> I've also seen a setup where both internal and external DNS servers<br>
> are running on the same machine, but I'd have to dig out the config<br>
> options they used.<br>
<br>
</span>Once you are under attack, I have seen no convincing evidence of<br>
successful mitigation that falls short of simply separating the<br>
authoritative services from the recursive services on different (maybe<br>
just virtual) machines. I've helped some fortune 500 companies and a<br>
few petro/chemical companies mitigate such attacks over the last several<br>
years prior to my retirement.<br>
<br>
The complexity of the combined configuration along with the chances of<br>
errors and inadvertent spoofing attacks (the big one) make it really<br>
impractical, once someone has you in their sights and they really want<br>
to make your life miserable.<br>
<br>
If you allow your public, authoritative nameserver to act as a recursor<br>
for your internal addresses and some attacker realizes this, he can<br>
spoof packets into your nameserver from your internal addresses to his<br>
heart's delight and hammer the bejesus out of your network and machines<br>
turning your own resources against you. I had to deal with several<br>
cases like this.<br>
<br>
I had one major (unnamed) international client who was being pummeled by<br>
this (their recursive caching name servers were on a publicly accessible<br>
colo site with recursion "restricted" to their internal addresses -<br>
wrong answer). The attackers were spoofing packets at that name server<br>
spoofed from their internal addresses and crushing their corporate<br>
network pipe bandwidth. We sent them my papers and (AFAIK) they<br>
rearchitected their infrastructure to plug those holes. Problem solved.<br>
I say "AFAIK" only because they didn't explicitly say that was<br>
specifically what they did (they were very cagey about their internal<br>
network infrastructure - I'm surprised we got as much out of them as we<br>
did) but they did thank me and my manager and several people above us<br>
profusely and said they were able to solve the problem thanks to what we<br>
gave them.<br>
<div class="HOEnZb"><div class="h5"><br>
> later!<br>
> horkan<br>
><br>
> On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:<br>
> > Yup, that's a fair critique - it hasn't been an issue yet, but I really should switch my setup around.<br>
> ><br>
> > I have a virtual machine running bind9 and postfix for a brain-damaged internal printer - I should swap DHCP to point there and see what happens.<br>
> ><br>
> > later!<br>
> > horkan<br>
> ><br>
> > On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:<br>
> > > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:<br>
> > > > Can you share the lines where you control access (including recursion)? In my case, they look like:<br>
> > > ><br>
> > > > named.conf.options:<br>
> > > > allow-transfer { home-nets; domain-backups; };<br>
> > > > allow-recursion { home-nets; domain-backups; };<br>
> > > > allow-query { home-nets; domain-backups; };<br>
> > ><br>
> > > It's worth noting that these do not prevent attackers from exploiting<br>
> > > your own name servers to attack you internally. They just spoof the<br>
> > > requests from your internal (even private) addresses to request huge<br>
> > > blocks of response data which will then be cached in your servers and<br>
> > > reflected back to hammer you. It's much better if you can block access<br>
> > > from the external net (either external interface or at your router) to<br>
> > > your recursive cacher, which then blocks incoming spoofed packets from<br>
> > > your internal addresses. Most firewalls can discriminate between<br>
> > > recursive requests and terminal requests, so you'll still end up needing<br>
> > > a non-recursive DNS server for your authoritative zones.<br>
> > ><br>
> > > Regards,<br>
> > > Mike<br>
> > ><br>
> > > > Where home-nets and domain-backups are defined as acls.<br>
> > > ><br>
> > > > later!<br>
> > > > horkan<br>
> > > ><br>
> > > ><br>
> > > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:<br>
> > > > > Guys,<br>
> > > > ><br>
> > > > > I am under attack where my dns server is being used to do a ddos attack. I<br>
> > > > > believe it's a bot net, because the ip are too random. I don't think the<br>
> > > > > domain I am seeing in my bind log is real<br>
> > > > ><br>
> > > > > fkfkfkfz.guru<br>
> > > > ><br>
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN<br>
> > > > > ANY +E (50.192.59.225)<br>
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)<br>
> > > > > 'fkfkfkfz.guru/ANY/IN' denied<br>
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response<br>
> > > > > to <a href="http://92.222.9.0/24" target="_blank">92.222.9.0/24</a><br>
> > > > ><br>
> > > > > I have turn on recursion, but now people can't find my domains any more.<br>
> > > > > I have also try to limit the rate as well<br>
> > > > ><br>
> > > > > rate-limit {<br>
> > > > > responses-per-second 25;<br>
> > > > > window 5;<br>
> > > > > };<br>
> > > > ><br>
> > > > ><br>
> > > > > I am running Debian and openSUSE.<br>
> > > > ><br>
> > > > > Anything I can do to stop them and make where people can find my domains? I<br>
> > > > > don't want to have to pay for something I can do and have control over.<br>
> > > > ><br>
> > > > > --<br>
> > > > > Terror PUP a.k.a<br>
> > > > > Chuck "PUP" Payne<br>
> > > > ><br>
> > > > > <a href="tel:678%20636%209678" value="+16786369678">678 636 9678</a><br>
> > > > > -----------------------------------------<br>
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.<br>
> > > > > -----------------------------------------<br>
> > > > > openSUSE -- Terrorpup<br>
> > > > > openSUSE Ambassador/openSUSE Member<br>
> > > > > skype,twiiter,identica,friendfeed -- terrorpup<br>
> > > > > freenode(irc) --terrorpup/lupinstein<br>
> > > > > Register Linux Userid: 155363<br>
> > > > ><br>
> > > > > Have you tried SUSE Studio? Need to create a Live CD, an app you want to<br>
> > > > > package and distribute , or create your own linux distro. Give SUSE Studio<br>
> > > > > a try.<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > --<br>
> > > > > Terror PUP a.k.a<br>
> > > > > Chuck "PUP" Payne<br>
> > > > ><br>
> > > > > <a href="tel:678%20636%209678" value="+16786369678">678 636 9678</a><br>
> > > > > -----------------------------------------<br>
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.<br>
> > > > > -----------------------------------------<br>
> > > > > openSUSE -- Terrorpup<br>
> > > > > openSUSE Ambassador/openSUSE Member<br>
> > > > > skype,twiiter,identica,friendfeed -- terrorpup<br>
> > > > > freenode(irc) --terrorpup/lupinstein<br>
> > > > > Register Linux Userid: 155363<br>
> > > > ><br>
> > > > > Have you tried SUSE Studio? Need to create a Live CD, an app you want to<br>
> > > > > package and distribute , or create your own linux distro. Give SUSE Studio<br>
> > > > > a try.<br>
> > > ><br>
> > > > > _______________________________________________<br>
> > > > > Ale mailing list<br>
> > > > > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> > > > > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > > > > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
> > > ><br>
> > > ><br>
> > ><br>
> > > --<br>
> > > Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
> > > /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> > > NIC whois: MHW9 | An optimist believes we live in the best of all<br>
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
> > ><br>
> ><br>
> ><br>
> ><br>
> > > _______________________________________________<br>
> > > Ale mailing list<br>
> > > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> > > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
> ><br>
> ><br>
> > --<br>
> > Horkan Smith<br>
> > <a href="tel:678-777-3263" value="+16787773263">678-777-3263</a> cell, <a href="mailto:ale@horkan.net">ale@horkan.net</a><br>
> > _______________________________________________<br>
> > Ale mailing list<br>
> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Terror PUP a.k.a<br>Chuck "PUP" Payne<br> <br>678 636 9678<br>-----------------------------------------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>-----------------------------------------<br>openSUSE -- Terrorpup<br>openSUSE Ambassador/openSUSE Member<br>skype,twiiter,identica,friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br> <br>Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try.<br><br></div>
</div>