DNS amplification attack: Difference between revisions

Revision as of 03:10, 3 October 2012

David 22:57, 2 October 2012 (EDT)

symptoms, diagnostics

Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
BW graphs that have relatively big spikes in them, out.
iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!

logs

turn on DNS server query logging:

02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)

ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)

ok so I didn't secure my name server. Fail.

config change

added to my config:

acl our-nets {
    192.168.1.0/24;
    192.168.2.0/24;
    127.0.0.1;
};

acl bad-guys {
    198.144.121.89;
    174.127.93.135;
    91.235.143.158;
};

   allow-query {
       our-nets;
   };

   allow-recursion { our-nets; };
   allow-recursion-on { 127.0.0.1; 192.168.1.64; };
   recursive-clients 25; //rate limiting exercise.
   
   blackhole { bad-guys; };

and added to my zone configs:

allow-query { any; };

what do you know ... the requests are now being denied. time to report on the problem ips and blackhole.

   8037 198.144.121.89
   4480 174.127.93.135
    147 91.235.143.158

198.144.121.89 is:

nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255
ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255

174.127.93.135 is:

RTechHandle: MMC281-ARIN
RTechName:   McBride, Matt
RTechPhone:  +1-435-755-3433
RTechEmail:  mmcbride@westhost.com
RTechRef:    http://whois.arin.net/rest/poc/MMC281-ARIN

91.235.143.158 is ... ripe .. hmm

I can't figure out how to block on the stupid Speedtouch 780WL, so iptables will ahve todo for now:

/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP

DNS amplification attack: Difference between revisions

Revision as of 03:10, 3 October 2012

symptoms, diagnostics

logs

config change

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

@@ Line 1: / Line 1: @@
 [[User:David|David]] 22:57, 2 October 2012 (EDT)
+== symptoms, diagnostics ==
 * Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
 * BW graphs that have relatively big spikes in them, out.
 * iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!
+== logs ==
 * turn on DNS server query logging:
@@ Line 17: / Line 21: @@
 ok so I didn't secure my name server. Fail.
+== config change ==
 added to my config:
@@ Line 25: / Line 31: @@
 .0.0.1;
   };
+ acl bad-guys {
+.144.121.89;
+.127.93.135;
+.235.143.158;
+ };
      allow-query {
@@ Line 32: / Line 45: @@
      allow-recursion { our-nets; };
      allow-recursion-on { 127.0.0.1; 192.168.1.64; };
-     recursive-clients 25;
+     recursive-clients 25; //rate limiting exercise.
+    blackhole { bad-guys; };
 and added to my zone configs: