Re: [nznog] Anyone else seeing massive amount of UDP/53 DNS queries since ~6pm last night ?
On Fri, 2010-11-05 at 09:04 +1300, Ian Batterbee wrote:
Looks like a new DDOS out there.. anyone else seeing it ?
I found a DNS nameserver being used to generate traffic recently. It was receiving DNS requests from ip addresses in the same /24 as itself, but the requests were coming from outside the network. Thinking the lookup requests were coming from local addresses, the nameserver was sending traffic to the authoritative nameservers for some domains. So I recommend that the router or firewall in front of any nameserver be set so that it does not accept source addresses belonging to thelocal network from outside of the network. It has been best practice to do so for a long time. Regards, RH.
On Nov 5, 2010, at 5:23 AM, Richard Haakma wrote:
It was receiving DNS requests from ip addresses in the same /24 as itself, but the requests were coming from outside the network.
This is a DNS reflection/amplification attack, which is predicated upon a) DNS servers misconfigured as open recursive resolvers and b) lack of anti-spoofing on network edges where bots are present. The largest DDoS attacks we see are launched this way (49gb/sec is the largest attack I've personally seen/worked).
So I recommend that the router or firewall in front of any nameserver be set so that it does not accept source addresses belonging to thelocal network from outside of the network.
Never, ever put a stateful firewall in front of any kind of server - there's no state to inspect, and it's a DDoS chokepoint due to trivial state-table exhaustion of even the largest firewalls by bots sending programmatically-generated 'legitimate' traffic in order to crowd out real user traffic. Instead, use stateless ACLs in hardware-based routers/layer-3 switches to enforce policy.
With regards to disabling open recursion, this is best accomplished a) by deploying a logically-separated, bulkheaded DNS architecture and b) properly configuring one's DNS servers.
See https://files.me.com/roland.dobbins/k54qkv for more BCP discussion.
-----------------------------------------------------------------------
Roland Dobbins
On Fri, 05 Nov 2010 11:30:26 Dobbins, Roland wrote:
This is a DNS reflection/amplification attack, which is predicated upon a) DNS servers misconfigured as open recursive resolvers and b) lack of anti-spoofing on network edges where bots are present. The largest DDoS attacks we see are launched this way (49gb/sec is the largest attack I've personally seen/worked).
Believe the previous poster was saying the DNS server wasn't an open recursive resolver - would only respond to queries from local addresses.
Never, ever put a stateful firewall in front of any kind of server - there's no state to inspect, and it's a DDoS chokepoint due to trivial state-table exhaustion of even the largest firewalls by bots sending programmatically-generated 'legitimate' traffic in order to crowd out real user traffic. Instead, use stateless ACLs in hardware-based routers/layer-3 switches to enforce policy.
Doesn't need statefulness. Packets coming in to your network from outside with the source specifying an internal IP (like 192.168.0.0/16, 10.0.0.0/8, etc) should be dropped. Even if you don't have services looking at the source address, can be used to bounce a DDoS off a publicly visible machine on to another one which is accessible only locally. If I read correctly, such a firewall would have stopped that particular DNS server from being used for amplification. Cheers, Tim
On Nov 5, 2010, at 7:31 AM, Timothy Goddard wrote:
Packets coming in to your network from outside with the source specifying an internal IP (like 192.168.0.0/16, 10.0.0.0/8, etc) should be dropped.
Concur - that's BCP38/BCP84.
If I read correctly, such a firewall would have stopped that particular DNS server from being used for amplification.
Firewalls are contraindicated; stateless ACLs are much better.
;>
-----------------------------------------------------------------------
Roland Dobbins
participants (3)
-
Dobbins, Roland -
Richard Haakma -
Timothy Goddard