[ale] {Disarmed} Re: {Disarmed} Fwd: Under Attack, my dns servers

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 6 16:21:44 EDT 2014


On Mon, 2014-10-06 at 15:47 -0400, Chuck Payne wrote:
> See below 
> 
> On Mon, Oct 6, 2014 at 3:34 PM, Michael H. Warfield <mhw at wittsend.com>
> wrote:
>         On Mon, 2014-10-06 at 12:03 -0400, Chuck Payne wrote:
>         
>         
>         > Guys,
>         >
>         >
>         > I am under attack where my dns server is being used to do a
>         ddos
>         > attack. I believe it's a bot net, because the ip are too
>         random. I
>         > don't think the domain I am seeing in my bind log is real
>         
>         > fkfkfkfz.guru
>         
>         > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query:
>         > fkfkfkfz.guru IN ANY +E (50.192.59.225)
>         > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query
>         (cache)
>         > 'fkfkfkfz.guru/ANY/IN' denied
>         
>         Ok...  It looks like the request was denied.  What's the
>         problem?
>         
>         It looks like someone was attempting to use your server in a
>         DNS
>         reflection attack.  That's a resource amplification attack
>         where they
>         send you a small request "IN ANY for fkfkfkfz.guru" for which
>         a huge
>         response will be delivered and cached by your name server and
>         returned
>         back to the (spoofed) client.  The fact that it's a recursive
>         "query"
>         and not a response is a dead give away that YOU are not under
>         attack but
>         these fools are trying to use you as a tool to attack others.
>         The query
>         packets may be frequent but they are very small.
>         
> 
> 
> I was until I turn off queries, you try to look up 

> www.magidesign.com 

> You can't get an answer, because the DNS server that is suppose to
> give the answer is turned off. That my main problem, I need to have my
> primary server on so that it can answer the world. 

You're using a hammer to drive a screw.  Recursion and queries are not
the same thing and block queries does nothing to prevent the incoming
traffic, which you were denying anyways.

>  
>         > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop
>         REFUSED
>         > response to MailScanner warning: numerical links are often
>         malicious:
>         > MailScanner warning: numerical links are often malicious:
>         92.222.9.0/24
>         
>         >
>         > I have turn on recursion, but now people can't find my
>         domains any
>         > more.
>         
>         This is exactly what you do NOT want to do.  That opens up a
>         window
>         where they can exploit your name server to attack others!

> So how to I get it where people find me, without paying netsol or go
> daddy. 

Ok...  That question makes no sense to me.  I don't pay anyone for my
DNS services.  I have my own authoritative servers (masters and slaves)
and I use Hurricane Electric's 5 public servers as slaves which then
gives me 8 along with my 2 non-public masters feeding my 3 public slaves
from which HE slaves from two of them.  You have to have an account with
them (the free IPv6 tunnel broker service is sufficient) but it doesn't
cost anything unless you exceed 10,000 RR's (Resource Records) in a
single (slave) zone and you can have up to 50 (forward + reverse +
slave) zones on an account.

On your authoritative name servers you have to have queries enabled and
should have recursion disabled.  Best you can do is ignore the stupid
queries that you are refusing to recurse for and ignore the noise in the
logs.

This is one of the reasons why you need to separate functionality.  It
gets confusing when you combine those functions.  It becomes much easier
to have recursive name servers blocked behind firewalls and
authoritative name servers only serving up their zones and refusing to
do any recursion what so ever.
 
Regards,
Mike

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/a693b014/attachment.sig>


More information about the Ale mailing list