[ale] Fwd: Under Attack, my dns servers

Horkan Smith ale at horkan.net
Mon Oct 6 15:59:07 EDT 2014


I've also seen a setup where both internal and external DNS servers are running on the same machine, but I'd have to dig out the config options they used.

later!
   horkan

On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:
> Yup, that's a fair critique - it hasn't been an issue yet, but I really should switch my setup around.
> 
> I have a virtual machine running bind9 and postfix for a brain-damaged internal printer - I should swap DHCP to point there and see what happens.
> 
> later!
>    horkan
> 
> On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > > Can you share the lines where you control access (including recursion)?  In my case, they look like:
> > > 
> > > named.conf.options:
> > >         allow-transfer { home-nets; domain-backups; };
> > >         allow-recursion { home-nets; domain-backups; };
> > >         allow-query { home-nets; domain-backups; };
> > 
> > It's worth noting that these do not prevent attackers from exploiting
> > your own name servers to attack you internally.  They just spoof the
> > requests from your internal (even private) addresses to request huge
> > blocks of response data which will then be cached in your servers and
> > reflected back to hammer you.  It's much better if you can block access
> > from the external net (either external interface or at your router) to
> > your recursive cacher, which then blocks incoming spoofed packets from
> > your internal addresses.  Most firewalls can discriminate between
> > recursive requests and terminal requests, so you'll still end up needing
> > a non-recursive DNS server for your authoritative zones.
> > 
> > Regards,
> > Mike
> > 
> > > Where home-nets and domain-backups are defined as acls.
> > > 
> > > later!
> > >    horkan
> > > 
> > > 
> > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > > Guys,
> > > > 
> > > > I am under attack where my dns server is being used to do a ddos attack. I
> > > > believe it's a bot net, because the ip are too random. I don't think the
> > > > domain I am seeing in my bind log is real
> > > > 
> > > > fkfkfkfz.guru
> > > > 
> > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN
> > > > ANY +E (50.192.59.225)
> > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > > 'fkfkfkfz.guru/ANY/IN' denied
> > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response
> > > > to 92.222.9.0/24
> > > > 
> > > > I have turn on recursion, but now people can't find my domains any more.
> > > > I have also try to limit the rate as well
> > > > 
> > > >   rate-limit {
> > > >                 responses-per-second 25;
> > > >                 window 5;
> > > >         };
> > > > 
> > > > 
> > > > I am running Debian and openSUSE.
> > > > 
> > > > Anything I can do to stop them and make where people can find my domains? I
> > > > don't want to have to pay for something I can do and have control over.
> > > > 
> > > > -- 
> > > > Terror PUP a.k.a
> > > > Chuck "PUP" Payne
> > > > 
> > > > 678 636 9678
> > > > -----------------------------------------
> > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > -----------------------------------------
> > > > openSUSE -- Terrorpup
> > > > openSUSE Ambassador/openSUSE Member
> > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > freenode(irc) --terrorpup/lupinstein
> > > > Register Linux Userid: 155363
> > > > 
> > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > > a try.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -- 
> > > > Terror PUP a.k.a
> > > > Chuck "PUP" Payne
> > > > 
> > > > 678 636 9678
> > > > -----------------------------------------
> > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > -----------------------------------------
> > > > openSUSE -- Terrorpup
> > > > openSUSE Ambassador/openSUSE Member
> > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > freenode(irc) --terrorpup/lupinstein
> > > > Register Linux Userid: 155363
> > > > 
> > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > > a try.
> > > 
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > > 
> > > 
> > 
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > 
> 
> 
> 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> 
> -- 
> Horkan Smith
> 678-777-3263 cell, ale at horkan.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Horkan Smith
678-777-3263 cell, ale at horkan.net


More information about the Ale mailing list