[ale] Fwd: Under Attack, my dns servers

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 6 17:13:07 EDT 2014 

On Mon, 2014-10-06 at 15:59 -0400, Horkan Smith wrote:
> I've also seen a setup where both internal and external DNS servers
> are running on the same machine, but I'd have to dig out the config
> options they used.

Once you are under attack, I have seen no convincing evidence of
successful mitigation that falls short of simply separating the
authoritative services from the recursive services on different (maybe
just virtual) machines.  I've helped some fortune 500 companies and a
few petro/chemical companies mitigate such attacks over the last several
years prior to my retirement.

The complexity of the combined configuration along with the chances of
errors and inadvertent spoofing attacks (the big one) make it really
impractical, once someone has you in their sights and they really want
to make your life miserable.

If you allow your public, authoritative nameserver to act as a recursor
for your internal addresses and some attacker realizes this, he can
spoof packets into your nameserver from your internal addresses to his
heart's delight and hammer the bejesus out of your network and machines
turning your own resources against you.  I had to deal with several
cases like this.

I had one major (unnamed) international client who was being pummeled by
this (their recursive caching name servers were on a publicly accessible
colo site with recursion "restricted" to their internal addresses -
wrong answer).  The attackers were spoofing packets at that name server
spoofed from their internal addresses and crushing their corporate
network pipe bandwidth.  We sent them my papers and (AFAIK) they
rearchitected their infrastructure to plug those holes.  Problem solved.
I say "AFAIK" only because they didn't explicitly say that was
specifically what they did (they were very cagey about their internal
network infrastructure - I'm surprised we got as much out of them as we
did) but they did thank me and my manager and several people above us
profusely and said they were able to solve the problem thanks to what we
gave them.

> later!
>    horkan
> 
> On Mon, Oct 06, 2014 at 03:57:19PM -0400, Horkan Smith wrote:
> > Yup, that's a fair critique - it hasn't been an issue yet, but I really should switch my setup around.
> > 
> > I have a virtual machine running bind9 and postfix for a brain-damaged internal printer - I should swap DHCP to point there and see what happens.
> > 
> > later!
> >    horkan
> > 
> > On Mon, Oct 06, 2014 at 03:47:05PM -0400, Michael H. Warfield wrote:
> > > On Mon, 2014-10-06 at 15:13 -0400, Horkan Smith wrote:
> > > > Can you share the lines where you control access (including recursion)?  In my case, they look like:
> > > > 
> > > > named.conf.options:
> > > >         allow-transfer { home-nets; domain-backups; };
> > > >         allow-recursion { home-nets; domain-backups; };
> > > >         allow-query { home-nets; domain-backups; };
> > > 
> > > It's worth noting that these do not prevent attackers from exploiting
> > > your own name servers to attack you internally.  They just spoof the
> > > requests from your internal (even private) addresses to request huge
> > > blocks of response data which will then be cached in your servers and
> > > reflected back to hammer you.  It's much better if you can block access
> > > from the external net (either external interface or at your router) to
> > > your recursive cacher, which then blocks incoming spoofed packets from
> > > your internal addresses.  Most firewalls can discriminate between
> > > recursive requests and terminal requests, so you'll still end up needing
> > > a non-recursive DNS server for your authoritative zones.
> > > 
> > > Regards,
> > > Mike
> > > 
> > > > Where home-nets and domain-backups are defined as acls.
> > > > 
> > > > later!
> > > >    horkan
> > > > 
> > > > 
> > > > On Mon, Oct 06, 2014 at 12:03:39PM -0400, Chuck Payne wrote:
> > > > > Guys,
> > > > > 
> > > > > I am under attack where my dns server is being used to do a ddos attack. I
> > > > > believe it's a bot net, because the ip are too random. I don't think the
> > > > > domain I am seeing in my bind log is real
> > > > > 
> > > > > fkfkfkfz.guru
> > > > > 
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query: fkfkfkfz.guru IN
> > > > > ANY +E (50.192.59.225)
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: query (cache)
> > > > > 'fkfkfkfz.guru/ANY/IN' denied
> > > > > 06-Oct-2014 11:23:28.146 client 92.222.9.179#49643: drop REFUSED response
> > > > > to 92.222.9.0/24
> > > > > 
> > > > > I have turn on recursion, but now people can't find my domains any more.
> > > > > I have also try to limit the rate as well
> > > > > 
> > > > >   rate-limit {
> > > > >                 responses-per-second 25;
> > > > >                 window 5;
> > > > >         };
> > > > > 
> > > > > 
> > > > > I am running Debian and openSUSE.
> > > > > 
> > > > > Anything I can do to stop them and make where people can find my domains? I
> > > > > don't want to have to pay for something I can do and have control over.
> > > > > 
> > > > > -- 
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > > 
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > > 
> > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > > > a try.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -- 
> > > > > Terror PUP a.k.a
> > > > > Chuck "PUP" Payne
> > > > > 
> > > > > 678 636 9678
> > > > > -----------------------------------------
> > > > > Discover it! Enjoy it! Share it! openSUSE Linux.
> > > > > -----------------------------------------
> > > > > openSUSE -- Terrorpup
> > > > > openSUSE Ambassador/openSUSE Member
> > > > > skype,twiiter,identica,friendfeed -- terrorpup
> > > > > freenode(irc) --terrorpup/lupinstein
> > > > > Register Linux Userid: 155363
> > > > > 
> > > > > Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
> > > > > package and distribute , or create your own linux distro. Give SUSE Studio
> > > > > a try.
> > > > 
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://mail.ale.org/mailman/listinfo/ale
> > > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > > http://mail.ale.org/mailman/listinfo
> > > > 
> > > > 
> > > 
> > > -- 
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > 
> > 
> > 
> > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > 
> > 
> > -- 
> > Horkan Smith
> > 678-777-3263 cell, ale at horkan.net
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20141006/f781f9da/attachment.sig>

More information about the Ale mailing list