DNS amplification attack
From Federal Burro of Information
David 22:57, 2 October 2012 (EDT)
symptoms, diagnostics
- Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
- BW graphs that have relatively big spikes in them, out.
- iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!
logs
- turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)
ok so I didn't secure my name server. Fail.
config change
added to my config:
acl our-nets { 192.168.1.0/24; 192.168.2.0/24; 127.0.0.1; };
acl bad-guys { 198.144.121.89; 174.127.93.135; 91.235.143.158; };
allow-query { our-nets; };
allow-recursion { our-nets; }; allow-recursion-on { 127.0.0.1; 192.168.1.64; }; recursive-clients 25; //rate limiting exercise. blackhole { bad-guys; };
and added to my zone configs:
allow-query { any; };
what do you know ... the requests are now being denied. time to report on the problem ips and blackhole.
8037 198.144.121.89 4480 174.127.93.135 147 91.235.143.158
198.144.121.89 is:
nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255 ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255
174.127.93.135 is:
RTechHandle: MMC281-ARIN RTechName: McBride, Matt RTechPhone: +1-435-755-3433 RTechEmail: mmcbride@westhost.com RTechRef: http://whois.arin.net/rest/poc/MMC281-ARIN
91.235.143.158 is ... ripe .. hmm
I can't figure out how to block on the stupid Speedtouch 780WL, so iptables will ahve todo for now:
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP