[ale] Fwd: Under Attack, my dns servers

Chuck Payne terrorpup at gmail.com
Tue Oct 7 13:28:24 EDT 2014


Michael and Horkan, thank you I am blocking the attack on my servers, and
people are able to find me again.

I want to thank the list as well. I don't think people get enough thank. I
am very grateful.

PUP

On Mon, Oct 6, 2014 at 5:13 PM, Michael H. Warfield <mhw at wittsend.com>
wrote:

> On Mon, 2014-10-06 at 15:59 -0400, Horkan Smith wrote:
> > I've also seen a setup where both internal and external DNS servers
> > are running on the same machine, but I'd have to dig out the config
> > options they used.
>
> Once you are under attack, I have seen no convincing evidence of
> successful mitigation that falls short of simply separating the
> authoritative services from the recursive services on different (maybe
> just virtual) machines.  I've helped some fortune 500 companies and a
> few petro/chemical companies mitigate such attacks over the last several
> years prior to my retirement.
>
> The complexity of the combined configuration along with the chances of
> errors and inadvertent spoofing attacks (the big one) make it really
> impractical, once someone has you in their sights and they really want
> to make your life miserable.
>
> If you allow your public, authoritative nameserver to act as a recursor
> for your internal addresses and some attacker realizes this, he can
> spoof packets into your nameserver from your internal addresses to his
> heart's delight and hammer the bejesus out of your network and machines
> turning your own resources against you.  I had to deal with several
> cases like this.
>
> I had one major (unnamed) international client who was being pummeled by
> this (their recursive caching name servers were on a publicly accessible
> colo site with recursion "restricted" to their internal addresses -
> wrong answer).  The attackers were spoofing packets at that name server
> spoofed from their internal addresses and crushing their corporate
> network pipe bandwidth.  We sent them my papers and (AFAIK) they
> rearchitected their infrastructure to plug those holes.  Problem solved.
> I say "AFAIK" only because they didn't explicitly say that was
> specifically what they did (they were very cagey about their internal
> network infrastructure - I'm surprised we got as much out of them as we
> did) but they did thank me and my manager and several people above us
> profusely and said they were able to solve the problem thanks to what we
> gave them.
>
> > later!
> >    horkan
> >
> > On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:
> > > Yup, that's a fair critique - it hasn't been an issue yet, but I
> really should switch my setup around.
> > >
> > > I have a virtual machine running bind9 and postfix for a brain-damaged
> internal printer - I should swap DHCP to point there and see what happens.
> > >
> > > later!
> > >    horkan
> > >
> > > On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> > > > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > > > > Can you share the lines where you control access (including
> recursion)?  In my case, they look like:
> > > > >
> > > > > named.conf.options:
> > > > >         allow-transfer { home-nets; domain-backups; };
> > > > >         allow-recursion { home-nets; domain-backups; };
> > > > >         allow-query { home-nets; domain-backups; };
> > > >
> > > > It's worth noting that these do not prevent attackers from exploiting
> > > > your own name servers to attack you internally.  They just spoof the
> > > > requests from your internal (even private) addresses to request huge
> > > > blocks of response data which will then be cached in your servers and
> > > > reflected back to hammer you.  It's much better if you can block
> access
> > > > from the external net (either external interface or at your router)
> to
> > > > your recursive cacher, which then blocks incoming spoofed packets
> from
> > > > your internal addresses.  Most firewalls can discriminate between
> > > > recursive requests and terminal requests, so you'll still end up
> needing
> > > > a non-recursive DNS server for your authoritative zones.
> > > >
> > > > Regards,
> > > > Mike
> > > >
> > > > > Where home-nets and domain-backups are defined as acls.
> > > > >
> > > > > later!
> > > > >    horkan
> > > > >
> > > > >
> > > > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > > > > Guys,
> > > > > >
> > > > > > I am under attack where my dns server is being used to do a ddos
> attack. I
> > > > > > believe it's a bot net, because the ip are too random. I don't
> think the
> > > > > > domain I am seeing in my bind log is real
> > > > > >
> > > > > > fkfkfkfz.guru
> > > > > >
> > > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
> fkfkfkfz.guru IN
> > > > > > ANY +E (50.192.59.225)
> > > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > > > > 'fkfkfkfz.guru/ANY/IN' denied
> > > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED
> response
> > > > > > to 92.222.9.0/24
> > > > > >
> > > > > > I have turn on recursion, but now people can't find my domains
> any more.
> > > > > > I have also try to limit the rate as well
> > > > > >
> > > > > >   rate-limit {
> > > > > >                 responses-per-second 25;
> > > > > >                 window 5;
> > > > > >         };
> > > > > >
> > > > > >
> > > > > > I am running Debian and openSUSE.
> > > > > >
> > > > > > Anything I can do to stop them and make where people can find my
> domains? I
> > > > > > don't want to have to pay for something I can do and have
> control over.
> > > > > >
> > > > > > --
> > > > > > Terror PUP a.k.a
> > > > > > Chuck "PUP" Payne
> > > > > >
> > > > > > 678 636 9678
> > > > > > -----------------------------------------
> > > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > > -----------------------------------------
> > > > > > openSUSE -- Terrorpup
> > > > > > openSUSE Ambassador/openSUSE Member
> > > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > > freenode(irc) --terrorpup/lupinstein
> > > > > > Register Linux Userid: 155363
> > > > > >
> > > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app
> you want to
> > > > > > package and distribute , or create your own linux distro. Give
> SUSE Studio
> > > > > > a try.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Terror PUP a.k.a
> > > > > > Chuck "PUP" Payne
> > > > > >
> > > > > > 678 636 9678
> > > > > > -----------------------------------------
> > > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > > -----------------------------------------
> > > > > > openSUSE -- Terrorpup
> > > > > > openSUSE Ambassador/openSUSE Member
> > > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > > freenode(irc) --terrorpup/lupinstein
> > > > > > Register Linux Userid: 155363
> > > > > >
> > > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app
> you want to
> > > > > > package and distribute , or create your own linux distro. Give
> SUSE Studio
> > > > > > a try.
> > > > >
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://mail.ale.org/mailman/listinfo/ale
> > > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > > http://mail.ale.org/mailman/listinfo
> > > > >
> > > > >
> > > >
> > > > --
> > > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> > > >    NIC whois: MHW9          | An optimist believes we live in the
> best of all
> > > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
> of it!
> > > >
> > >
> > >
> > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > >
> > >
> > > --
> > > Horkan Smith
> > > 678-777-3263 cell, ale at horkan.net
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
Terror PUP a.k.a
Chuck "PUP" Payne

678 636 9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio
a try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141007/40949946/attachment.html>


More information about the Ale mailing list