DNS amplification attack
From Federal Burro of Information
David 22:57, 2 October 2012 (EDT)
symptoms, diagnostics
- Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
- BW graphs that have relatively big spikes in them, out.
- iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!
logs
- turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)
ok so I didn't secure my name server. Fail.
config change
added to my config:
acl our-nets {
192.168.1.0/24;
192.168.2.0/24;
127.0.0.1;
};
acl bad-guys {
198.144.121.89;
174.127.93.135;
91.235.143.158;
};
allow-query {
our-nets;
};
allow-recursion { our-nets; };
allow-recursion-on { 127.0.0.1; 192.168.1.64; };
recursive-clients 25; //rate limiting exercise.
blackhole { bad-guys; };
and added to my zone configs:
allow-query { any; };
what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.
Offenders and Response
count address
8037 198.144.121.89
4480 174.127.93.135
147 91.235.143.158
198.144.121.89 is:
nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255 ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255
174.127.93.135 is:
RTechHandle: MMC281-ARIN RTechName: McBride, Matt RTechPhone: +1-435-755-3433 RTechEmail: mmcbride@westhost.com RTechRef: http://whois.arin.net/rest/poc/MMC281-ARIN
91.235.143.158 is ... ripe .. hmm
I can't figure out how to block on the stupid Speedtouch 780 WL, so iptables will have todo for now:
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP /sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP
