Inbound DNS Amplification Attack

wayner

Hi All,  I have been getting a constant string of SNORT alerts since about 4am Sunday morning my time.  I have attached a screen cap of the snort alerts log and can confirm that this is happening from multiple spoofed IP's.  I have 2 WAN connections, only 1 is affected.

Details of my setup are as follows :
PFSense 2.0.1 running Snort 2.9.2.3 with paid subscription
Forwarding ports 25, 80, 443, 1194 on this connection.
Yesterday I created a DROP for port 53 rule on this connection.
PFSense DNS Forwarder is enabled.
There are now DNS servers on my local network.

I contacted my ISP to see what they could do from their end.  Following is their reply:

"I have discussed the the DOS attack with our Support Specialist team and they have advised me that the problem is caused by an exploit in the recursive lookup of your local DNS server. Turning this recursive lookup off or limiting it to your local network only should solve the problem.

A good explanation of what is going on can be found at the link below:

http://securitytnt.com/dns-amplification-attack/"

Although this is not causing any real problems at the moment, I am concerned that this could be a precursor to a DOS attack.  Is there anyway that the PFSense DNS Forwarder could be the cause of this problem?

Thanks,
Wayne

cmb

If what's happening is you're being used as a source for a reflective attack, you have your firewall rules far too open. If you allow TCP/UDP 53 on WAN and have the DNS forwarder enabled, you will have an open recursive resolver to the world, which is bad. It's not an "exploit" of your DNS server, it's a consequence of allowing recursive lookups from the Internet, which you should never do for this reason amongst others.

wayner

Thanks CMB,  Defiantly not allowing inbound port 53 on WAN.  On this WAN,  I have NAT redirects for ports 80,443 and 25 to web and mail servers.  Also allowing 1194 for inbound VPN.  All other rules on WAN are PFBlocker block rules + one I created yesterday to DROP inbound requests to port 53.

I'm not seeing any of this activity in the Firewall logs so I assume snort is blocking before the firewall.  I can't see how this is a PFsense issue but I need to convince my ISP of this.

Anyone see something I might have missed?

Thanks,
Wayne

cmb

Filter Diag>States for :53 and see what's there.

wayner

All that's in the states table for port 53 are the connections to my ISP's DNS servers as are listed in General Setup.  The states look like this:

my.wan.ip:35391 -> my.gateway.ip:54774 -> myisps.main.dns.server:53    MULTIPLE:SINGLE
my.wan.ip:35391 -> my.gateway.ip:54774 -> myisps.backup.dns.server:53    MULTIPLE:SINGLE

All other connections are local to the pfsense box.

Thanks

cmb

Oh, I overlooked the fact you said it's only attempts that's triggering Snort, I thought you actually had responses going out. Generally the requests will come in at a rate adequate to peg your upstream, which you'd notice, and your states show you aren't actually responding. What you're seeing is just typical Internet noise that you can't do anything about. Usually such attempts are targeted at IPs that are known to be running an open resolver, so if you have a dynamic IP that's recently been assigned to you, it's likely someone else was running an open resolver on that address previously. Sometimes they're just blindly fired though. You just have to ignore things like that, nothing your ISP is going to be able to do or even cares about, and nothing you can do about it. You're blocking it.

This is a good example of why I usually don't run Snort on WAN or outside the firewall. Too much noise that you're blocking and hence don't need to care about. Snort generates enough noise without adding a slew of things you're blocking to the list.