Weblog entry #307 for simonw

Ongoing DDoS attacks - check your DNS servers
Posted by simonw on Thu 19 Feb 2009 at 13:52
Tags:
Before I went on leave, read a note about a DDoS attack using DNS. Here is the ISC take on same.

http://isc.sans.org/diary.html?storyid=5713

The attack is ongoing still!

That evening, logged into our authoritative name servers, and fixed up the DNS named.conf.options so recursive queries were refused (the default Debian config results in authoritative servers providing a referral rather than a refusal to recursive queries), as the config on those running Etch was wrong.

It is vital that the response to queries for which you aren't authoritative is as small as possible to save both your own bandwidth, and that of the victim. Specifically smaller than the request, as that makes using reflectors like this less useful than a more direct attack.

You can use "dig" to establish this for your authoritative name servers:

Currently they are using the query "name servers for root (.)" hence:
dig @IP.AD.DR.SS . ns | grep MSG

Should return something like:
;; MSG SIZE rcvd: 17

A result of about 272 bytes (not 17) shows the query is answered, or a referral took place - not good.

In Lenny BIND9 you want:
allow-recursion {none;};

In Etch BIND9 you may also need:
recursion: no;

Either ways restart named, and check that the responses are correct!

On returning from leave I noted that one of our clients collocated servers is providing open recursion, and all the DNS traffic to it I can see appears to be DDoS attacks against these addresses.

213.175.198.117
67.15.64.195
62.109.4.89

Queries are either ". ns" or "aol.com txt"

 

Comments on this Entry

Posted by Anonymous (195.212.xx.xx) on Mon 23 Feb 2009 at 12:25
I have allow-recursion { list-of-ips; } ; in my named.conf.options file.
I still get the 272b message. Any ideeas?

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Mon 23 Feb 2009 at 13:14
[ View Weblogs ]
allow-query (and related statements - allow-query-on), can be used to ensure queries that don't match are refused. If this is simply a recursive server then you can probably just put the same IP address list in an "allow-query" statement as are in the "allow-recursion". BIND 9 is a tad too flexible here.

[ Parent | Reply to this comment ]