DNS amplification attack

From Federal Burro of Information
Jump to navigationJump to search

David 22:57, 2 October 2012 (EDT)

symptoms, diagnostics

  • Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
  • BW graphs that have relatively big spikes in them, out.
  • iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!

Athena eth0 traffic.png

Teksavvy-router last 864000.png

logs

  • turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)

ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)

other domains:

're.vr.lt/TXT/IN'
'ripe.net/ANY/IN'
'isc.org/ANY/IN'

ok so I didn't secure my name server. Fail.

config change

added to my config:

acl our-nets {
    192.168.1.0/24;
    192.168.2.0/24;
    127.0.0.1;
};
acl bad-guys {
    198.144.121.89;
    174.127.93.135;
    91.235.143.158;
};


   allow-query {
       our-nets;
   };
   allow-recursion { our-nets; };
   allow-recursion-on { 127.0.0.1; 192.168.1.64; };
   recursive-clients 25; //rate limiting exercise.
   
   blackhole { bad-guys; };

and added to my zone configs:

allow-query { any; };

what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.

Offenders and Response

  count address
   8037 198.144.121.89
   4480 174.127.93.135
    147 91.235.143.158

198.144.121.89 is:

nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255
ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255

174.127.93.135 is:

RTechHandle: MMC281-ARIN
RTechName:   McBride, Matt
RTechPhone:  +1-435-755-3433
RTechEmail:  mmcbride@westhost.com
RTechRef:    http://whois.arin.net/rest/poc/MMC281-ARIN

91.235.143.158 is ... ripe .. hmm

I can't figure out how to block on the stupid Speedtouch 780 WL, so iptables will have todo for now:

/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP
/sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP