DNS amplification attack: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
No edit summary |
(→logs) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
* BW graphs that have relatively big spikes in them, out. | * BW graphs that have relatively big spikes in them, out. | ||
* iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!! | * iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!! | ||
[[image:athena_eth0_traffic.png]] | |||
[[image:teksavvy-router_last_864000.png]] | |||
== logs == | == logs == | ||
Line 19: | Line 23: | ||
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes) | ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes) | ||
other domains: | |||
're.vr.lt/TXT/IN' | |||
'ripe.net/ANY/IN' | |||
'isc.org/ANY/IN' | |||
ok so I didn't secure my name server. Fail. | ok so I didn't secure my name server. Fail. | ||
Line 53: | Line 63: | ||
allow-query { any; }; | allow-query { any; }; | ||
what do you know ... the requests are now being denied. | what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole. | ||
== Offenders and Response == | |||
<pre> | <pre> | ||
count address | |||
8037 198.144.121.89 | 8037 198.144.121.89 | ||
4480 174.127.93.135 | 4480 174.127.93.135 | ||
Line 76: | Line 89: | ||
91.235.143.158 is ... ripe .. hmm | 91.235.143.158 is ... ripe .. hmm | ||
I can't figure out how to block on the stupid [[Speedtouch | I can't figure out how to block on the stupid [[Speedtouch 780 WL]], so iptables will have todo for now: | ||
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP | /sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP | ||
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP | /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP | ||
/sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP |
Latest revision as of 20:22, 10 October 2012
David 22:57, 2 October 2012 (EDT)
symptoms, diagnostics
- Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
- BW graphs that have relatively big spikes in them, out.
- iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!
logs
- turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)
other domains:
're.vr.lt/TXT/IN' 'ripe.net/ANY/IN' 'isc.org/ANY/IN'
ok so I didn't secure my name server. Fail.
config change
added to my config:
acl our-nets { 192.168.1.0/24; 192.168.2.0/24; 127.0.0.1; };
acl bad-guys { 198.144.121.89; 174.127.93.135; 91.235.143.158; };
allow-query { our-nets; };
allow-recursion { our-nets; }; allow-recursion-on { 127.0.0.1; 192.168.1.64; }; recursive-clients 25; //rate limiting exercise. blackhole { bad-guys; };
and added to my zone configs:
allow-query { any; };
what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.
Offenders and Response
count address 8037 198.144.121.89 4480 174.127.93.135 147 91.235.143.158
198.144.121.89 is:
nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255 ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255
174.127.93.135 is:
RTechHandle: MMC281-ARIN RTechName: McBride, Matt RTechPhone: +1-435-755-3433 RTechEmail: mmcbride@westhost.com RTechRef: http://whois.arin.net/rest/poc/MMC281-ARIN
91.235.143.158 is ... ripe .. hmm
I can't figure out how to block on the stupid Speedtouch 780 WL, so iptables will have todo for now:
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP /sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP