DNS Attacks



  • OK,
    I've got a problem regarding DNS attacks on port 53. Sometimes these ports are getting flooded with udp packets. They all have a limited number of connections but it still uses lots of bandwidth. What I do now is, checking bandwidthd graphs and as soon as it turns red, I check the states and find the bad IP. Then I block the IP and kill the states. I gues this must be more easy, maybe with snort or something.
    I know PFsense can't block DOS or DDOS attacks, but does anybody has a ruleset or batch script or something which does the above automatically?

    Thanks,
    Roger


  • Rebel Alliance Global Moderator

    So your running a public dns?  Why would 53 be open inbound in the first place, the default block rule on the wan would just drop all these.. Why are you creating specific block rules?

    Or your own authoritative for your domain(s)..  It should only answer for your domains, not recursive.



  • Yes,
    I am running my own authorative domain server or several to be exactly so I can't just block port 53. The pfsense firewall is running in bridged mode, which works very well. So far.  :(
    I am thinking about adding special DOS/DDOS hardware, but at the moment pfsense works well, just the $@%# UDP floods.


  • Rebel Alliance Global Moderator

    And is your dns open as recursive?  PM an IP and will check real quick.

    Where are you going to add this hardware?  A DOS that fills your connection has to be taken care of upstream - there is little to do at the endpoint in a DOS or DDOS.



  • Well,
    To be honest, I am not really afraid of real DOS/DDOS attacks. I have a switch behind my uplink which has 100mbit ports and a 1Gb uplink. When I get a dos attack on one of the servers it will only take that down and I can still get to my other servers and firewall (that's theoritical, I haven't got that problem). The problem with the floods is that they use up quiet some bandwidth. I am currently looking if zabbix can inform me when the states or bandwidth go up to far.
    The DNS 's only answer for their autorative domains. The last udp flood contained over 10000 udp states from only one IP using up 28Mbit.



  • Snort offers DNS DDoS detection with auto-blocking.


  • Rebel Alliance Global Moderator

    "The problem with the floods is that they use up quiet some bandwidth"

    Does not matter if you block them, they would still use up bandwidth..  Unless your talking about your answer bandwidth, are they doing queries for your domains, or your just saying hey don't do recursive.

    Blocking their IPs is only going to save you your answer cpu cycles and bandwidth.  So is that 28mbit they sent their end, or theirs and your answer?



  • The bandwidth is mostly (about 95%) coming from my DNS servers as an answer to their requests.
    As soon as I block their IP the bandwidth is back to normal.


  • Rebel Alliance Global Moderator

    So I have to ask what are they asking for?  Are they doing a NS query, SOA, are they asking for for something that you answer with large amount of info?

    Looking to block automatically - having as much detail on how they are creating the return traffic is good info to have.  Unless your looking for something to just block based upon rates?

    Why don't you just rate limit your dns? If he is the one creating all the traffic, I would have to assume they are trying to use your dns server as a amplification attack against some source IP they are forging.. So just rate limit it

    something as simple as

    options {
        directory "/var/named";
        rate-limit {
            responses-per-second 5;
        };
    };

    In bind should really slow down any sort of attack to make it just noise you can overlook.


  • Rebel Alliance Developer Netgate

    If you run an authoritative name server, make sure that you do NOT allow recursion from the Internet. These attacks can only exploit recursive resolvers. If your authoritative name server denies recursion, they'll get nothing.

    If you run a server that must do both, ensure that recursion is restricted to only your allowed local networks.

    See pages like this for a better explanation: http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache


  • Rebel Alliance Global Moderator

    An authoritative could be used as well - if you forge your source and ask for something that it is authoritative for ;)  It then sends its answer to what it thinks asked for it.

    But I agree with you normally recursive servers are the ones most used.



  • Thanks guys,

    Seems that keep blocking the IP addresses is starting to work, because I haven't seen any floods last few days  :-X
    The DNS servers are configured to answer only for local domains and I also lowered the rate-limit as Johnpoz mentioned.
    Hope this helps
    Beside that, does anyone know an IP blacklist which can be maintained by ISP's or people with online servers. As far as I know all blacklists are maintained by companies/people who fill their own database with honeypots etc.
    But the IP addresses I blocked are probably annoying other online servers now. If I could add my IP-"knowledge" to a more open blacklist, they could be blocked right away.