DNS amplification attack: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
No edit summary |
(→logs) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[User:David|David]] 22:57, 2 October 2012 (EDT) | [[User:David|David]] 22:57, 2 October 2012 (EDT) | ||
== symptoms, diagnostics == | |||
* Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs. | * Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs. | ||
* BW graphs that have relatively big spikes in them, out. | * BW graphs that have relatively big spikes in them, out. | ||
* iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!! | * iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!! | ||
[[image:athena_eth0_traffic.png]] | |||
[[image:teksavvy-router_last_864000.png]] | |||
== logs == | |||
* turn on DNS server query logging: | * turn on DNS server query logging: | ||
| Line 15: | Line 23: | ||
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes) | ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes) | ||
other domains: | |||
're.vr.lt/TXT/IN' | |||
'ripe.net/ANY/IN' | |||
'isc.org/ANY/IN' | |||
ok so I didn't secure my name server. Fail. | ok so I didn't secure my name server. Fail. | ||
== config change == | |||
added to my config: | added to my config: | ||
| Line 25: | Line 41: | ||
127.0.0.1; | 127.0.0.1; | ||
}; | }; | ||
acl bad-guys { | |||
198.144.121.89; | |||
174.127.93.135; | |||
91.235.143.158; | |||
}; | |||
allow-query { | allow-query { | ||
| Line 32: | Line 55: | ||
allow-recursion { our-nets; }; | allow-recursion { our-nets; }; | ||
allow-recursion-on { 127.0.0.1; 192.168.1.64; }; | allow-recursion-on { 127.0.0.1; 192.168.1.64; }; | ||
recursive-clients 25; | recursive-clients 25; //rate limiting exercise. | ||
blackhole { bad-guys; }; | |||
and added to my zone configs: | and added to my zone configs: | ||
| Line 38: | Line 63: | ||
allow-query { any; }; | allow-query { any; }; | ||
what do you know ... the requests are now being denied. | what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole. | ||
== Offenders and Response == | |||
<pre> | <pre> | ||
count address | |||
8037 198.144.121.89 | 8037 198.144.121.89 | ||
4480 174.127.93.135 | 4480 174.127.93.135 | ||
| Line 60: | Line 88: | ||
91.235.143.158 is ... ripe .. hmm | 91.235.143.158 is ... ripe .. hmm | ||
I can't figure out how to block on the stupid [[Speedtouch 780 WL]], so iptables will have todo for now: | |||
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP | |||
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP | |||
/sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP | |||
Latest revision as of 20:22, 10 October 2012
David 22:57, 2 October 2012 (EDT)
symptoms, diagnostics
- Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
- BW graphs that have relatively big spikes in them, out.
- iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!
logs
- turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64) 02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)
other domains:
're.vr.lt/TXT/IN' 'ripe.net/ANY/IN' 'isc.org/ANY/IN'
ok so I didn't secure my name server. Fail.
config change
added to my config:
acl our-nets {
192.168.1.0/24;
192.168.2.0/24;
127.0.0.1;
};
acl bad-guys {
198.144.121.89;
174.127.93.135;
91.235.143.158;
};
allow-query {
our-nets;
};
allow-recursion { our-nets; };
allow-recursion-on { 127.0.0.1; 192.168.1.64; };
recursive-clients 25; //rate limiting exercise.
blackhole { bad-guys; };
and added to my zone configs:
allow-query { any; };
what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.
Offenders and Response
count address
8037 198.144.121.89
4480 174.127.93.135
147 91.235.143.158
198.144.121.89 is:
nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255 ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255
174.127.93.135 is:
RTechHandle: MMC281-ARIN RTechName: McBride, Matt RTechPhone: +1-435-755-3433 RTechEmail: mmcbride@westhost.com RTechRef: http://whois.arin.net/rest/poc/MMC281-ARIN
91.235.143.158 is ... ripe .. hmm
I can't figure out how to block on the stupid Speedtouch 780 WL, so iptables will have todo for now:
/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP /sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP
