DNS amplification attack: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
Line 53: Line 53:
  allow-query { any; };
  allow-query { any; };


what do you know ... the requests are now being denied. time to report on the problem ips and blackhole.
what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.
 
== Offenders and Response ==


<pre>
<pre>
  count address
   8037 198.144.121.89
   8037 198.144.121.89
   4480 174.127.93.135
   4480 174.127.93.135
Line 76: Line 79:
91.235.143.158 is ... ripe .. hmm
91.235.143.158 is ... ripe .. hmm


I can't figure out how to block on the stupid [[Speedtouch 780WL]], so iptables will ahve todo for now:
I can't figure out how to block on the stupid [[Speedtouch 780 WL]], so iptables will have todo for now:


  /sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
  /sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
  /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP
  /sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP
/sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP

Revision as of 03:12, 3 October 2012

David 22:57, 2 October 2012 (EDT)

symptoms, diagnostics

  • Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
  • BW graphs that have relatively big spikes in them, out.
  • iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!

logs

  • turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)

ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)

ok so I didn't secure my name server. Fail.

config change

added to my config:

acl our-nets {
    192.168.1.0/24;
    192.168.2.0/24;
    127.0.0.1;
};
acl bad-guys {
    198.144.121.89;
    174.127.93.135;
    91.235.143.158;
};


   allow-query {
       our-nets;
   };
   allow-recursion { our-nets; };
   allow-recursion-on { 127.0.0.1; 192.168.1.64; };
   recursive-clients 25; //rate limiting exercise.
   
   blackhole { bad-guys; };

and added to my zone configs:

allow-query { any; };

what do you know ... the requests are now being denied. Time to report on the problem ips and blackhole.

Offenders and Response

  count address
   8037 198.144.121.89
   4480 174.127.93.135
    147 91.235.143.158

198.144.121.89 is:

nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255
ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255

174.127.93.135 is:

RTechHandle: MMC281-ARIN
RTechName:   McBride, Matt
RTechPhone:  +1-435-755-3433
RTechEmail:  mmcbride@westhost.com
RTechRef:    http://whois.arin.net/rest/poc/MMC281-ARIN

91.235.143.158 is ... ripe .. hmm

I can't figure out how to block on the stupid Speedtouch 780 WL, so iptables will have todo for now:

/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP
/sbin/iptables -I INPUT 1 -s 91.235.143.158 -j DROP