DNS amplification attack

From Federal Burro of Information
Revision as of 03:10, 3 October 2012 by David (talk | contribs)
Jump to navigationJump to search

David 22:57, 2 October 2012 (EDT)

symptoms, diagnostics

  • Crappy internet performance even after having upgraded from 0.5 megs to a whopping 2.5 megs.
  • BW graphs that have relatively big spikes in them, out.
  • iptraf when the problem is happening to see what I can see. DNS traffic makes up the bulk of things!!

logs

  • turn on DNS server query logging:
02-Oct-2012 21:14:45.794 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.798 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.802 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.850 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.885 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.887 queries: info: client 174.127.93.135#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)
02-Oct-2012 21:14:45.914 queries: info: client 198.144.121.89#53 (ripe.net): query: ripe.net IN ANY +ED (192.168.1.64)

ripe.net domain is big 3192 bytes (quadratic.net is 349 bytes)

ok so I didn't secure my name server. Fail.

config change

added to my config:

acl our-nets {
    192.168.1.0/24;
    192.168.2.0/24;
    127.0.0.1;
};
acl bad-guys {
    198.144.121.89;
    174.127.93.135;
    91.235.143.158;
};


   allow-query {
       our-nets;
   };
   allow-recursion { our-nets; };
   allow-recursion-on { 127.0.0.1; 192.168.1.64; };
   recursive-clients 25; //rate limiting exercise.
   
   blackhole { bad-guys; };

and added to my zone configs:

allow-query { any; };

what do you know ... the requests are now being denied. time to report on the problem ips and blackhole.

   8037 198.144.121.89
   4480 174.127.93.135
    147 91.235.143.158

198.144.121.89 is:

nLayer Communications, Inc. NLYR-ARIN-BLK6 (NET-198-144-96-0-1) 198.144.96.0 - 198.144.127.255
ESecurity NLYR-198-144-120-0-1 (NET-198-144-120-0-1) 198.144.120.0 - 198.144.121.255

174.127.93.135 is:

RTechHandle: MMC281-ARIN
RTechName:   McBride, Matt
RTechPhone:  +1-435-755-3433
RTechEmail:  mmcbride@westhost.com
RTechRef:    http://whois.arin.net/rest/poc/MMC281-ARIN

91.235.143.158 is ... ripe .. hmm

I can't figure out how to block on the stupid Speedtouch 780WL, so iptables will ahve todo for now:

/sbin/iptables -I INPUT 1 -s 198.144.121.89 -j DROP
/sbin/iptables -I INPUT 1 -s 174.127.93.135 -j DROP