[ale] {Disarmed} Fwd: Under Attack, my dns servers

Chuck Payne terrorpup at gmail.com
Mon Oct 6 15:47:52 EDT 2014 

See below

On Mon, Oct 6, 2014 at 3:34 PM, Michael H. Warfield <mhw at wittsend.com>
wrote:

> On Mon, 2014-10-06 at 12:03 -0400, Chuck Payne wrote:
>
>
> > Guys,
> >
> >
> > I am under attack where my dns server is being used to do a ddos
> > attack. I believe it's a bot net, because the ip are too random. I
> > don't think the domain I am seeing in my bind log is real
>
> > fkfkfkfz.guru
>
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
> > fkfkfkfz.guru IN ANY +E (50.192.59.225)
> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > 'fkfkfkfz.guru/ANY/IN' denied
>
> Ok...  It looks like the request was denied.  What's the problem?
>
> It looks like someone was attempting to use your server in a DNS
> reflection attack.  That's a resource amplification attack where they
> send you a small request "IN ANY for fkfkfkfz.guru" for which a huge
> response will be delivered and cached by your name server and returned
> back to the (spoofed) client.  The fact that it's a recursive "query"
> and not a response is a dead give away that YOU are not under attack but
> these fools are trying to use you as a tool to attack others.  The query
> packets may be frequent but they are very small.
>
>
I was until I turn off queries, you try to look up

www.magidesign.com

You can't get an answer, because the DNS server that is suppose to give the
answer is turned off. That my main problem, I need to have my primary
server on so that it can answer the world.




> > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED
> > response to MailScanner warning: numerical links are often malicious:
> > 92.222.9.0/24
>
> >
> > I have turn on recursion, but now people can't find my domains any
> > more.
>
> This is exactly what you do NOT want to do.  That opens up a window
> where they can exploit your name server to attack others!
>

So how to I get it where people find me, without paying netsol or go daddy.


>
> > I have also try to limit the rate as well
>
> Which will have no impact on the rate of the incoming packets.  The
> refusal to recurse is sufficient and turning on recursion will open you
> up to more traffic as scanners (and these could have been scanners)
> detect that you can recurse for them and they can exploit you.
>
> 1) Do NOT use the same name server for your recursive caching name
> servers as your authoritative name servers!  Yes, you can, but it's a
> very bad practice for this very reason.
>
> 2) Do NOT allow recursion on your authoritative name servers!  They
> serve up your zones to others, they don't need to look up other zones
> for others.
>
> 3) Do NOT allow external access to your recursive name servers!  Your
> recursive name servers are there to server your internal systems (and
> should be behind your firewall) and NOT to serve requests for external
> systems.
>
> >   rate-limit {
> >                 responses-per-second 25;
> >                 window 5;
> >         };
>
> Useless.  Has no effect on the rate the packets are received at and you
> (were) rejecting the queries.  You really can do no better unless you
> have BGP flood mitigation facilities in places and I don't think you're
> operating on that level.
> >
> >
> > I am running Debian and openSUSE.
> >
> >
> > Anything I can do to stop them and make where people can find my
> > domains? I don't want to have to pay for something I can do and have
> > control over.
>
> Yeah, separate your recursive caching name services from your
> non-recursive authoritative services.
>
> You can do this internally behind a NAT device on a single IP by using
> keeping your recursive cachers on a private address behind your NAT
> (they'll NAT over to the external name servers) and only allowing your
> authoritative name server on your public NAT.  Or, better, use a free
> service like Hurricane Electric for your authoritative name servers (if
> you're on a single IP and that's your only nameserver - you're a fool -
> best practices dictate a minimum of 3 on diverse networks).  I have no
> less than 8 authoritative name servers for WittsEnd.com (that are
> publicly available) 5 of which are the (free) ns?.he.net name servers
> which slave off of ns1.wittsend.com and ns2.wittsend.com (neither of
> which are the "masters" and the true masters are NOT reachable from the
> Internet).
>
> I've written a number of articles and done presentations on this subject
> over the years.  You might want to review the following...
>
> http://www.wittsend.com/mhw/2011/RobustDNS.odt
> http://www.wittsend.com/mhw/2011/RobustDNS.odp



I will take a look. Thanks.


>
>
> > --
> > Terror PUP a.k.a
> > Chuck "PUP" Payne
> >
> > 678 636 9678
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
Terror PUP a.k.a
Chuck "PUP" Payne

678 636 9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio
a try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/001bbf15/attachment.html>

More information about the Ale mailing list