[ale] Fwd: Under Attack, my dns servers

Horkan Smith ale at horkan.net
Mon Oct 6 15:57:19 EDT 2014


Yup, that's a fair critique - it hasn't been an issue yet, but I really should switch my setup around.

I have a virtual machine running bind9 and postfix for a brain-damaged internal printer - I should swap DHCP to point there and see what happens.

later!
   horkan

On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > Can you share the lines where you control access (including recursion)?  In my case, they look like:
> > 
> > named.conf.options:
> >         allow-transfer { home-nets; domain-backups; };
> >         allow-recursion { home-nets; domain-backups; };
> >         allow-query { home-nets; domain-backups; };
> 
> It's worth noting that these do not prevent attackers from exploiting
> your own name servers to attack you internally.  They just spoof the
> requests from your internal (even private) addresses to request huge
> blocks of response data which will then be cached in your servers and
> reflected back to hammer you.  It's much better if you can block access
> from the external net (either external interface or at your router) to
> your recursive cacher, which then blocks incoming spoofed packets from
> your internal addresses.  Most firewalls can discriminate between
> recursive requests and terminal requests, so you'll still end up needing
> a non-recursive DNS server for your authoritative zones.
> 
> Regards,
> Mike
> 
> > Where home-nets and domain-backups are defined as acls.
> > 
> > later!
> >    horkan
> > 
> > 
> > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > Guys,
> > > 
> > > I am under attack where my dns server is being used to do a ddos attack. I
> > > believe it's a bot net, because the ip are too random. I don't think the
> > > domain I am seeing in my bind log is real
> > > 
> > > fkfkfkfz.guru
> > > 
> > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN
> > > ANY +E (50.192.59.225)
> > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > 'fkfkfkfz.guru/ANY/IN' denied
> > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response
> > > to 92.222.9.0/24
> > > 
> > > I have turn on recursion, but now people can't find my domains any more.
> > > I have also try to limit the rate as well
> > > 
> > >   rate-limit {
> > >                 responses-per-second 25;
> > >                 window 5;
> > >         };
> > > 
> > > 
> > > I am running Debian and openSUSE.
> > > 
> > > Anything I can do to stop them and make where people can find my domains? I
> > > don't want to have to pay for something I can do and have control over.
> > > 
> > > -- 
> > > Terror PUP a.k.a
> > > Chuck "PUP" Payne
> > > 
> > > 678 636 9678
> > > -----------------------------------------
> > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > -----------------------------------------
> > > openSUSE -- Terrorpup
> > > openSUSE Ambassador/openSUSE Member
> > > skype,twiiter,identica,friendfeed -- terrorpup
> > > freenode(irc) --terrorpup/lupinstein
> > > Register Linux Userid: 155363
> > > 
> > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > a try.
> > > 
> > > 
> > > 
> > > 
> > > -- 
> > > Terror PUP a.k.a
> > > Chuck "PUP" Payne
> > > 
> > > 678 636 9678
> > > -----------------------------------------
> > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > -----------------------------------------
> > > openSUSE -- Terrorpup
> > > openSUSE Ambassador/openSUSE Member
> > > skype,twiiter,identica,friendfeed -- terrorpup
> > > freenode(irc) --terrorpup/lupinstein
> > > Register Linux Userid: 155363
> > > 
> > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > a try.
> > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > 
> > 
> 
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-- 
Horkan Smith
678-777-3263 cell, ale at horkan.net


More information about the Ale mailing list