[ale] {Disarmed} Fwd: Under Attack, my dns servers

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 6 15:34:15 EDT 2014 

On Mon, 2014-10-06 at 12:03 -0400, Chuck Payne wrote:


> Guys, 
> 
> 
> I am under attack where my dns server is being used to do a ddos
> attack. I believe it's a bot net, because the ip are too random. I
> don't think the domain I am seeing in my bind log is real

> fkfkfkfz.guru 

> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
> fkfkfkfz.guru IN ANY +E (50.192.59.225)
> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> 'fkfkfkfz.guru/ANY/IN' denied

Ok...  It looks like the request was denied.  What's the problem?

It looks like someone was attempting to use your server in a DNS
reflection attack.  That's a resource amplification attack where they
send you a small request "IN ANY for fkfkfkfz.guru" for which a huge
response will be delivered and cached by your name server and returned
back to the (spoofed) client.  The fact that it's a recursive "query"
and not a response is a dead give away that YOU are not under attack but
these fools are trying to use you as a tool to attack others.  The query
packets may be frequent but they are very small.

> 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED
> response to MailScanner warning: numerical links are often malicious:
> 92.222.9.0/24
 
> 
> I have turn on recursion, but now people can't find my domains any
> more. 

This is exactly what you do NOT want to do.  That opens up a window
where they can exploit your name server to attack others!

> I have also try to limit the rate as well 

Which will have no impact on the rate of the incoming packets.  The
refusal to recurse is sufficient and turning on recursion will open you
up to more traffic as scanners (and these could have been scanners)
detect that you can recurse for them and they can exploit you.

1) Do NOT use the same name server for your recursive caching name
servers as your authoritative name servers!  Yes, you can, but it's a
very bad practice for this very reason.

2) Do NOT allow recursion on your authoritative name servers!  They
serve up your zones to others, they don't need to look up other zones
for others.

3) Do NOT allow external access to your recursive name servers!  Your
recursive name servers are there to server your internal systems (and
should be behind your firewall) and NOT to serve requests for external
systems.

>   rate-limit {
>                 responses-per-second 25;
>                 window 5;
>         };

Useless.  Has no effect on the rate the packets are received at and you
(were) rejecting the queries.  You really can do no better unless you
have BGP flood mitigation facilities in places and I don't think you're
operating on that level.
> 
> 
> I am running Debian and openSUSE. 
> 
> 
> Anything I can do to stop them and make where people can find my
> domains? I don't want to have to pay for something I can do and have
> control over. 

Yeah, separate your recursive caching name services from your
non-recursive authoritative services.

You can do this internally behind a NAT device on a single IP by using
keeping your recursive cachers on a private address behind your NAT
(they'll NAT over to the external name servers) and only allowing your
authoritative name server on your public NAT.  Or, better, use a free
service like Hurricane Electric for your authoritative name servers (if
you're on a single IP and that's your only nameserver - you're a fool -
best practices dictate a minimum of 3 on diverse networks).  I have no
less than 8 authoritative name servers for WittsEnd.com (that are
publicly available) 5 of which are the (free) ns?.he.net name servers
which slave off of ns1.wittsend.com and ns2.wittsend.com (neither of
which are the "masters" and the true masters are NOT reachable from the
Internet).

I've written a number of articles and done presentations on this subject
over the years.  You might want to review the following...

http://www.wittsend.com/mhw/2011/RobustDNS.odt
http://www.wittsend.com/mhw/2011/RobustDNS.odp

> -- 
> Terror PUP a.k.a
> Chuck "PUP" Payne
>  
> 678 636 9678

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/625cf5f5/attachment.sig>

More information about the Ale mailing list